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APPLICATION OF REDUNDANCY IN TUF SATURN V 
GUIDANCE AND CONTROL SYSTEM 

F. B. Moore and J. B. White 
Guidance and Control Division, Astrionies Laljorntory 
NASA, George C. Marshall Space Flight Center 
Huntsville, Alaliama 


Abstract 


The Saturn lai neh vehicle's guidance and control 
system is so complex that the reliability o» a simplex 
system is not adequate to fulfill mission requirement*, 
fhjs, to achieve the desired reliability, redundancy 
encompassing a wide range of types and levels was em- 
ployed, At one extreme, the lowest level, basic com- 
ponents (resistors, capacitors, relays, etc. fare em- 
ployed in series, parallel, or quadruplex arrangements 
to insure continued system operation in the presence of 
possible failure conditions. At the other extreme, the 
highest level, complete subsystem duplication is pro- 
vided so that a backup subsystem can be emploved in 
ease the primary system malfunctions. In between these 
two extremes, many other redundancy schemes and tech- 
niques are employed at various levels, Basic redundancy 
concepts are covered to gain insight into the advantages 
obtained with various techniques. Points and methods 
of application of these techniques are included. The 
theoretical gam in reliability resulting from redundancy 
is assessed and compared to a simplex system. Prob- 
lems and limitations encountered in the practical appli- 
cation of redundancy are discussed as well as techniques 
verifying proper operation of the redundant channels. 

As background for the redundancy application discussion, 
a basic description of the guidance and control system is 
included. 


Nomenclature 


P. I* 


P 

a 


P 

c 


probability of success and failure, 
respectively, of a redundant arrange- 
ment or system 

actual but unknown system reliability 

estimated reliability obtained through 
sampling 


P 

K 


I 5 P 
h’ h' 


reliability gained by considering fail- 
ures in opposite directions cancelling 
in a TMR digital ar-angement 

probability that the h and h' converter, 
respectively, in a duplex power supply 
is good 


P, , , P, . , probability that the h and h' converter, 

h low h' low , , , 

respectively, in a duplex power supply 

fails low 


pj , p 2 , — p n probability that the events, 4, , 4 2 , — 

t . respectively, will occur 

R, R probability of success (or reliability) 

and failure, respectively, of a simplex 
unit 

R| , R, reliability of memory modules 1 anil 2 . 

respectively, of a duplex pair 


A 


F 


ratio of failures detected by current sensing R R R , R 

*1 |) Q (J 

to all failures in a duplex memory 


probability of success of a simplex 
unit denoted by the subscript 


number of units that have failed in a simplex R , R , R 
system after time t 


probability that the a, b, or e unit, 
respectively', fails to a logical 


k 

rn 


N 



N 

l 


N 

o 


n 


environmental adjustment factor R , R , R 

aO bO cO 

total number of trials in simulated sampling 

R , R. 

number of remaining good elements in a 
simplex system after time t 


probability that the a. b, or c unit, 
respectively, fails to a logical "0" 

reliability of a power supply (or excita- 
tion source) and a simplex feedback 
amplifier , respectively 


number of duplex memory pairs in series 
number of components of type i 


R,. U l. 
h k 


reliability of a simplex converter and 
tin- accelerometer encoder and signal 
conditioning circuitry, respectively 


number of components or elements com- |{ , R 

prising a simplex system 1 


reliability of the logic and an aetuator- 
ser /oamplifier channel, respectively 


number of modules in a simplex computer l{ , u 

m ’ o 


multiplexer and oscillator reliability , 
respectively 
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0 p POOH QUALITY 


/ 


R , R 

q s 


R , R 
V w 


R • » R, 

<P «l< 


s 

T, t 


t 


ik 


U 


U 

r 


U 


ra 


U 


rb 


U 


rab 


U 


rp 


U 

s 


U 

sp 


V , V . V 
a h c 


reliability of the subtract and limit 
check circuitry and a switch, respec- 
tively 

reliability of platform sliprtngs, 
gimbal angle resolver, and two 
crossover detectors 

reliability of a decision element (or 
voter! and a hydraulic supply, 
respectively 

reliability of an attitude rate command 
channel and an attitude command 
channel, respectively 

possible states of an element 

total mission time anti operating time, 
respectively 

time at which the k th failure of i th 
type component occurs 

unreliability or probability of system 
failure, expressed in terms of failures 
oer million 

unreliubilitv of a redundant arrange- 
ment, expressed in failures per 
million 

unreliability of the redundant platform 
system through the orbital injection 
phase, expressed in failures per 
million 

unreliability of the redundant platform 
system during earth orbit and lunar 
injection phase, expressed in failures 
per million 

unreliability of the redundant platform 
system during all flight phases, ex- 
pressed in failures per million 

unreliability of the redundant portion 
of an arrangement containing both 
redundancy and simplex units, ex- 
pressed in terms of failures per 
million 

unreliability of a simplex subsystem 
or system, expressed in failures per 
million 

unreliability of the simplex portion of 
an arrangement containing both 
redundancy and simplex units, ex- 
pressed in terms of failures ;:t r 
miilior 

decision element state denoted bv the 
subscript 


Z confidence limit expressed in terms of 

c 

standard deviations 

A, Aj unit failure rate and failure rate of the 

i**' component, respectively 

— £ Independent events with probabilities 
Pi. Pj. — P n * respectively 

Introduction 


The development of the Saturn V launch vehicle 
system may be traced through successive developments 
of the Saturn 1 anil Saturn II! vehicles, which consist of 
two propelled stages and an Instrument Unit. The llrst 
stage (S-I) of Saturn I i 'insisted of eignt engines with a 
combined thrust of 6.7 • in' N ( 1. 5 million lb); the 
second stage (S IV) has six l.ll 2 I .OX engines with a 
total thrust of 6. I • in® N (tio.oun lb). A lioilernlate of 
the Apollo spacecraft was flown with Saturn I. The first 
stage I S-Il!) of Saturn II! has '.he same basic eight 
engine configuration as the Saturn I, but the engines have 
been modified to increase performance to a total thrust 
of 7. 1 x lo® X ( 1.0 million lb). The second stage 
(S-IVI!) of Saturn III has one large I If, I .OX engine with 
a tin ust oi 0. 1) ■ 10® N (200,(100 lb). The Instrument 
Unit in Ixith vehicles provides guidance and control, 
vehicle sequencing, telemetry, and other instrumenta- 
tion. 


The Saturn II! system, whose maiden flight oci urred 
early in 1!)(!(!, bridges the gap between the Saturn I and 
Saturn V vehicles. This system consists of concepts and 
hardware developed for the Saturn I program and incor- 
porates new ideas, techniques, and hardware required in 
the Saturn V system. It has the capability of orbiting the 
Apollo spacecraft. 

In the Saturn V system, which is being developed to 
place a man on the moon, the second stage (S-IVIV) of 
the Saturn II! vehicle moves up to become the third • tage. 
Likewise, the Instrument Unit and th, payload remain 
basically intact and make up the forward portion <>t the 
vehicle. The first stage (S-IC) consists of five newly 
developed engines; each has a thrust approximately 
equivalent to that of the total Saturn I first stage, and 
the total thrust is .'(.'!. 5 x to® N (7. ."> million lb). The 
second stage (S-II) is living developed with live I II; 

I.OX engines, each with a thrust equivalent to that used 
on the S-1V11 stage; the total thrust is 1. 5 U 1 ® N ( 1.0 

million llo. The Instrument Unit of the Saturn Vvehicle 
is basically equivalent to thatof Saturn land 11! with 
slight modifications or equipment rearrangement to 
aecommoiiate and facilitate the Apollo mission. The 
Saturn V guidance and control svsteni discusred applies 
generally to the Saturn If! system a- well. 

The primary mission of the Apollo project is to 
(dace three astronauts in a lunar orbit, to land two of the 
astronauts on the moon's surlaee, and to solely return 
the crew to the earth's surface. The Saturn V launch 
vehicle is instrumental in the first phase of this opera- 
tion for it is the vehicle system that will inject thi 
spacecraft and its crew into the lunar trajectory. Since 
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so much is at stake in tills project, both in terms of the 
lives of entire crews as well as the tremendous expense 
of such an undertaking, it is imperative that each mis* 
sion be successfully completed. Considerable effort has 
been expended f.om the outset of the conceptual design 
phase to insure that the Saturn V launch vehicle is as 
reliable as today's technology permits. In many cases, 
the technology has been extended considerably to meet 
the stringent reliability requirements for these complex 
missions. In addition to the Apollo mission, it is ex- 
pected that the Saturn V vehicle system will !*■ required 
for other critical earth orbit and possibly interplanetary 
missions. 

Major emphasis has been placed on attaining the 
highest reasonable reliability in the development of the 
flight-critical guidance and control system of the Saturn 
V launch vehicle. The emphasis on reliability has over- 
shadowed other design conslde rations such as minimized 
weight, power consumption, and, to some extent, cost. 

Historically, reliability Improvement has been 
attacked through simplicity In concept, conservative 
design, high reliability component parts, and extensive 
testing programs and techniques. These basic princi- 
ples have been extensively employed in the guidance and 
control system design. The number and type of func- 
tional units required to fulfili the prescribed mission 
have been kept to the absolute minimum. The hardware 
in the Saturn system is conservatively designed with 
flight-proven components and techniques ix Ing employed 
to the maximum extent, in spite of the conservatism 
and emphasis on simplicity employed in the basic system 
layout and detailed hardware design, the implemented 
system is still extremely complex, consisting of millions 
of component parts which must operate over extended 
periods of time. Therefore, redundancy is required to 
achieve the desired reliabilit\ . 

Basic Redundancy Concepts 

Within the past two decades, tremendous strides 
have been made in improving component part reliability. 
The transistor demonstrated a marked reliability 
Improvement in comparison to the electronic tube; and, 
in more recent years, microminiaturization and inte- 
grated circuits have contributed significantly to elec- 
tronic circuit reliability improvement. However, even 
with this advancement in basic technology, overall 
system reliability has not improved sufficiently to meet 
today 's demand for the iollowing reasons. First, tin* 
number of component parts in today's systems has 
increased significantly compared to those of a few years 
ago. Second, reliability requirements have increased 
considerably because of man-rated systems and the 
necessity of extended periods of operation. For these 
reasons, new techniques utilizing redundancy concepts 
have been developed. The concepts themselves are not 
new and were investigated by J. von Neumann and others; 
however, only recently have th y been employed on such 
a large scale. The Saturn V guidance and control system 
represents the largest scale application of redundancy 
that exists in any present flight system. 


The types of redundancy employed fall into the follow 
ing categories: duplex, triple modular redundant (TMR), 
prime-reference-stnndhy (PHS), quudruplex, and multiple 
parallel elements (MPK). Kach approach is discussed to 
point out the reliability improvement obtained. 

Three axioms of probability theory useful In the 
following derivations of reliability are as I >1 lows. 

1. If p denotes the probability that an event will 
occur, then 1-p denotes the probability that the event 
w ill not occur. 

2. If the events { j, £ 2 , — { at' 1 independent 

events with probabilities p J( pj, — p^, respectively, 

then the probability that all of the events shou'-l happen 
simultaneously when all are in question is th product of 
the probabilities 

n 

p=n v <u 

i 1 

3. If the probabilities of mutually exclusive events 

£i> — 4„ a| ' 4 ’ Pi. 1*2. — P n > respectively, then the 

probability that any one of these events should happen 
when all are in question is the sum of the probabilities 

n 

P X I’i ' <2 > 

i 1 

The reliability or probability of success of a single 
unit, whether a single component or a system, will be 
represented by li, and the reliability of the- redundant 
arrangement by l’. It is assumed that the equipment 
under discussion has been operated through a burn-in 
phase and does not have or has not reached the wearout 
phase. The reliability can therefore lx- conveniently 
expressed as a time dependent function. The expression 
relating reliability to time may be simply derived as 
follows. 

Consider that N integral units, either single 

components or subsystems, comprise a system. 

Assume that each unit is functioning independently of the 
others and that the number of units which have failed at 
time t is F. Then, the numix-r of good units ( N) re- 
maining after time < t ) is 

N = N - F . (3) 

o 

Assuming that tile failure rate of the units is directly 
proportional to the number of good units results in 


where \ is the constant of proportionality and is com- 
monly referred to as unit failure rate. 


0. iGiN 

Of 


; '-I 


AL i " 

)\i qUALOT 
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Substituting equation 3 into equation 4 results in The proliability that the system is operative is given by 


dF 

(it 


X (N - F) . 
o 


(5) 


R R. + R R. + R IT . 
a b a b a b 


(3) 


Solving this differential equation for F and evaluating 
the solution at t 0 and F 0 for the constant of 
integration yields 


Assuming R - R ( R , we obtain 

P < 1 - R) R + R ( 1 - R ) + R 2 2R - R*. (9) 


F = N ( 1 - e" M ) . (6) 

o 

If a unit is selected from the set, the probability hat it 
has failed is, by definition, F N^; from axiom 1 the 

probability that it is good is 1 - F/N^ or from equation 4 

is given by 

R=e" Xt (7) 

The simplest and lowest level of redundancy utilized 
is that which duplicates a component part to prevent a 
system failure in the presence of a short or open of the 
component. With a component that tends hi fail in the 
shorted mode, an additional component would bo added 
in scries; likewise, for a predominant open failure 
mode, a parallel component would lx- added. These 
arrangements are shown symbolically in Figure 1; the; 
truth table represents the possible states of the units. 
The total number of combinations of states is derived 

from S n , where S is the number of possible states and 
n is the number of units. In this arrangement, there 
are two states since each unit can either be good or bad, 
and the number of units is two, giving four possible 
combinations. If in the truth table a is Interpreted 
as a failure in the predominant mode and a "1” re- 
presents an operative unit, the same table applies to 
both the series and parallel combinations. 

Truth tables, which are of primary importance in 
the design of logical systems, are useful in enumerating 
the possible combinations or states of a system and 
selecting the combinations which re sult in a system 
failure as well as indicating the assumptions and failure 
modes in each case. With a truth table and axioms 1, 

2, and 3, the Boolean expression for system reliability 
can be readily derived. This technique will be used 
throughout to derive the reliability expressions. 



(a) (b) 


The reliability of the system as a function of time and 
unit failure rate is obtained by :;t'b t’.tutipg equation 7 
into equation 9 which result . in 


I* 


e* At C>-e- Xt ) 


< 10 ) 


The duplex arrangement can also l»e employed at the 
module and subsystem level, vhor ■ a single predominant 
failure de cannot K* a: -mid I > l..t. fa t**<-i ar- 

rangement a decision ch . i> to d< ♦ ir-'nt , M. h chan- 
nel is operating correctly must ha e* > 1 C nr.i'b-r a 
duplex arrangement, cojvio; r l cf id. . F a’ unit:;, and a 
derision elenru ; t with the aHIfly t <Vte- m<m v aich of 
the two units is go * i.i t as of a unit f:. ‘ u- « V!.' ; , 

shown sy-nl-: I '-.iMy ,'n 1 i, ■ • • 2; the t I I ’c repre- 
sents the possible St ‘ s c ! I!- - unit 


truth table for duple** un:ts 



"c 

1 

k 

Decision 
t E!.n n r 
SlAft 

v> v* 
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nj 

B 

| TAILED 

o! 

0 

A 

tam rn 

0 

,! 

D 

joPURATIVE 

0 
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A 

FAILED 

1 

0 

B 

FAIL FD 

1 

o | 

A 

1 OPERATIVE 

I 

i 

n 

OPERATIVE 

1 

i 

_ : 

A 

|0PF NATIVE 


(a) (b) 

Figure 2. Duplex Configuration 
with Truth Tabic- 


In the truth table, a "0" is interpreted as a failed 
unit and a "1" represents an operative unit. Tnc A or B 
in the decision element state column indicates which 
element has boon selected. If has been assumed that 
the decision element must select orn element, but that 
both cannot be selected simult .neoesly. The logical 
conditions necessary for th system to be operative are 


R • IT • V +R • R • V • It R, • V\ * R R, ■ V where V L 
abb a baa b baba b 

and V Indicate v.nich unit has been se'ected. The 


a 

reliability of the duplex system, when the reliability of 
the derision element is considered, is given by 


P R 2 + 2 <T;-R 2 ) R ( 11) 

v 


Figure 1. Series and Parallel Configuration 
with Truth Table 


where R^ is the decision element reliability. This 

equation reduces to that for The series or parallel cases 
( equation 10) if the reliability cf the decision element ts 
ignored, i. e. , it has a reliability of one. 


o5 3 
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The duplex technique is one of the moat desirable 
forms of redundancy, both in Urms of simplicity and 
reliability improvement. However, the major dis- 
advantage which limits its application considerably is 
the problem of determining the functional unit when a 
failure has occurred. The techniques used In the Saturn 
system to overcome this shortcoming are discussed 
later. 

A triplex, or triple modular redundant (TMR), 
arrangement is shown in Figure 3. in this system the 
decision element, sometimes called voter, reacts to the 
majority inputs; consequently, only one failure can be 
tolerated. 


(o) 


• Figure 3. TMH Configuration with 
Truth Table 

Four of tlie combinations result in system failure while 
the other four yield proper operation. The Boolean 
expression for proper operation is 

P R R, R +R R R + K IT R +R IT R (12) 
abcabcabc a b c 

indicating that only one failure can be tolerated. There- 
fore, assuming identical units, the reliability of the 
system is given by 

P = 3 ( 1-R) R 2 + R* 3R 2 - 2R 3 . (13) 

The reliability of the decision element in a TMR 
arrangement may be considered in one of two ways. If 
three decision elements are used per trio, i.e. , one 
for each element, the reliability of the votei may lie 
lumped with that of the unit. The reliability of the unit 
then is decreased accordingly. It a single decision 
element is used for a trio, the result is a trio in series 
with a single element resulting in a reliability given b 

P = ( 3K 2 - 2R 3 ) R (14) 

v 

where R is the voter reliability. In either case, when 
v 

the voter Is assumed to lie perfect , It 1, the rclla 

v 

bility of tiie system Is given by equation 13. 




TRUTH TABLE 
FOR TMR UNITS 


Ra 

R b R C 

SYSTEM STATUS 

0 

0 0 

FAILED 

0 

0 1 

FAILED 

0 

1 0 

FAILED 

0 

I 1 

OPERATIVE 

1 

0 0 

FAILED 

1 

0 1 

OPERATIVE 

1 

I 0 

OPFRATIVE 

1 

1 1 

OPt PATIVE 


(b) 


Where TMR techniques art utilized in digital 
applications, advantage can lie taken of the possibility of 
failures in opposite directions cancelling. Forexample, 
the second combination in tlie truth table ( Fig. 3) would 
not have resulted in a system failure if R had failed to 

a logical "0" and IT to a logical "1," or if R had failed 

I) 3L 

to a logical "1" and R^ to a logical ”0. " This may be 
expressed in the form 


R • R. • K + R -R -R 
aO bl c al bO c 


where the second subscript indicates failure mode. 

Since this can occur in three such combinations, the 
Boolean expression for the reliability gained bv opposite 
failures cancelling is 


R .• R. • R + R • H • R , + 
al bo c aO b cl 


R ,• IT ■ R HI • It, K . + R • IT • R ■ 
al h cO a bo cl a bl cQ 


The probability of unit failure is the sum of the probabil- 
ities of component failures to a "0" state and to a "1" 

slate: thus R It * It j. Without investigating die- dc- 

it 

tails of a sjH'cifie application there is no reason to 
suspect a failure to any particular state to U' more 
prevalent than to tlie other stale. consequently . 

R 1/2 R and R< 1 2 It This leads to the conciu- 

u _ 

sion that R 1 2 (1-R) and R, 1/2 (1-R). Sub- 
o 

slituting these values into equation 15 yields the relia- 
bility gained from consideration of failures in opposite 
directions and is given by 


P K f> |(R) 1/2 (1-R) 1 2 (1-R)] 

Of) 

[ ( 1-2R + R 2 ) ] . (16) 


The reliability of a TMR system when failures in 
opposite directions are considered is given by the sum of 
equations 13 and 16 yielding 

P (3R* - 2R J )+ (~ - 3R + 3/2 R 3 ) 

= 1/2 ( 3It - R 3 ) . (17) 

Another redundancy scheme is the prlmary-refer- 
ence-standby (PRS) technique employing three channels 
that serve, as (lie name implies, three separate 
functions. In the normal unfailed condition, the primary 
channel B Is functional in the system. Its output Is 
compared to the reference A; and. In case of disagree- 
ment I k solid an established level, the standby channel C 
is substituted for B. This scheme along with its truth 
table is shown in Figure l. 
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TRUTH TABLE FOR QUADRUPLEX UNITS 
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Figure 4. PUS Configuration with 
Truth Table 


Figure 5. Quad ruptex Configuration 
with Truth Table 


Again it has been assumed that the comparator has 
selected either B or C, but that it cannot select both 
simultaneously. The necessary logical conditions for 
this system to In- operative are 


K • R, • H V 
a b c c 


\i -R -R • V +R R - R V, 
abcbabcb 


Inspection of the truth table for the quadruplex 
arrangement reveals that th • system reliability may lx* 
obtained by 


1* 1 - ( 1 It) 4 - 4 < 1-10*11 - 2 ( 1-R) 2 R 2 

It 2 ( 4-4 R+It 2 ). (20) 


+R • R, It V ‘It It • R V -It • It. ■ It • V. 
abccabccab e t) 


+R • It, It V, <R It 
a b c b a 


b 


It 

c 


V 

c 


where V and V indicate which element has been 
b c 

selected. When the units are assumed to bo identical, 
the reliability of the system is given by 

P (It 3 - It 2 ) (1 - 2R ) + R ( 1«) 

v 

where It is the comparator reliability. If the compar- 
v 

a tor is assumed to have a reliability of one, equation H 
reduces to 

P It ( 1 + R-R 2 ) . ( l!)) 


The PRS teehnioue has a major disadvantage in that 
is is more susceptible to transients or into mi it tents 
than the other schemes. Consequently, if a transient 
causes the comparator to switch to the standby unit, 
means should be available to switch back to th > original 
unit with its reference; otherwise all the advantages of 
the redundant system have been lost from that point on. 
As discussed later, the switchback technique is employ- 
ed in some PRS portions of the Saturn system but not in 
others. 

The next technique to lx- considered is the quadru- 
plex arrangement shown with Its truth table in Figure 5. 
Since the arrangement has four units, 2* cot 'nations 
are possible. In Figure 5, assume that only one failure 
in each or in both branches can be tolerated, and two 
failures in any one branch will result in a system 
malfunction. 


The quadruplex arrangement is most useful when 
applied at the component level i e. , to resistors, 
capacitors, diodes, valves, relays, etc. , where the 
component does not have a single predominant failure 
mode. In applications where a single failure mode 
exists, two component in series or pat llel would be 
employed in preference to the quadruplex arraivcment 


An inherent redundancy exists in some subsystems 
because of certain features of the overall system con- 
figuration dictated by other subsystems. In such cases 
the subsystem may continue to op, rate either with no 
degradation or w ith an acceptable degradation of per- 
formance in the presence of one or more failed ole 
ments. An example of such a situation e> i. t in the 
Saturn guidance and control .-system 1 nitre of the re- 
quired clustering of engines to provide the neecr. art 
vehicle thrust. Since four engines are gimt-.iled to 
maintain vehicle control, the failure ef one of the four 
control channels In each plane dees not enure a system 
failure. The subsystem can be treated : -• one having 
four parallel elements, with the fai'ure o' any one ele- 
ment being permissible. This arr. ip.i mentis referred 
to as multiple parallel elements (l.li'I.l. The applicable 
schematic and truth table are shown in Figure <!. five 
combinations in Figure (i n ult in eor-tim-vd successful 
operations. The resulting expro: don for proper opera- 
tion is 


1> R R, R R* R R R R . + R R R R 
a b c d a b e d abed 


+ R Ik R II* R R, It R . 
a b c d a b c (I 


Again, assuming identical units results )n 

P 4 ( 1-R) R 3 + R 4 4 R 3 - 3 R 4 . (21) 
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TRUTH TABLE FOR MPE UNITS 
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Figure 6. MPE Configuration with 
Truth Table 


Any of the redundant arrangements may be cascaded 
and the tot' 1 .! _ysLeir! reliability may be found from axiom 
2. tor example, a system composed of two duplex sub- 
systems similar to those in Figure 2 would have a 
reliability given by 


P=(2R-R 2 ) 2 . (22) 

Similarly, a system composed of a duplex subsystem and 
a TMR subsystem would have a reliability given by 


rates. The unreliability of each component, subsystem, 
or system is then expressed as a number of failures per 
i dt of time, permitting easier separation or combina- 
tion of the associated numbers without resorting to the 
manipulation of numbers involving a series of "nines. " 


Since R in the reliability expressions may lie re- 
placed by 1-R where R is the probability of subsystem 
failure, the reliability of a redundant unit may be ex- 
pressed in terms of the probability of failure of the 
single nonredundant unit. The result for each type of 
redundancy is as follows. 


Duplex 

TMR 

PRS 

Quadruplex 

MPE 


P = 1 - R 2 

P 1/2 [2-3R 2 + R 3 ] 

P = 1 -2R : + R 3 
P - 1-2R 2 + R 4 
P - t - GR 2 + -"ft 3 - 3R 4 


Further. R e ** anti R 1 -e ^ * 1 - ( 1-At* ) * At, 

for very small At. Since in equations 24, R is also very 
small, terms higher than the second order may be 
ignored. If the higher order terms, are ignored, the 
approximations for redundant system unreliability 
expressed in teims of component failure rates and 
operating time are 


P = (2R-R 2 ) (3R 2 -2R 3 ). (23) 

To summarize. Table 1 shows the reliability ex- 
pression for each scheme discussed in order of relia- 
bility preference. However, practical limitations 
usually determine the choice of schemes. 


Table 1. Redundancy Schemes 


Scheme 

Reliability 

Expression 

Asaumptlons 

Duplex 

2R-R 2 

Proper decision element 
can be determined. 

TMR 

1/2 ( 3R-R 3 ) 

Failures in opposite 
directions can cancel. 

PRS 

R ( 1+R-R 2 ) 

Reference and normally 
used unit do not fall to 
the same state simul- 
taneously. 

Quadruplex 

R 2 ( 4-4R*R 2 ) 

Limited generally Ur 
component part 
application. 

MPE 

4R 5 -3R 4 

4 elements 

Simplex 

R 



In applying the theory to the assessment of the 
reliability of a complex system, it is sometimes more 
convenient to express reliability equations in terms of 
unreliability which can be derived from unit failure 


Duplex 

TMR 

PRS 

Quadruplex 
M PE 


P a (At) 2 
P ^ 3/2 (At) 2 
P * 2 (At) 2 
P ' 2 (At) 2 
P « «(AQ 2 


(25) 


From equations 25, the ordering of the system in 
rank of reliability becomes obvious. 

Figure 7 is a graphical comparison of the reliability 
of the simplex, duplex, TMR, PRS, MPE, and quadru- 
plex schemes as a function of unit failure rate and time, 

where R - c has been substituted into the equations 
previously derived. In the case of the TMR arrange- 
ment, failures in opposite directions cancelling were 
assumed; for the PRS arrangement, it was assumed that 
the reference unit and the unit to which it is normally 
compared do not fail simultaneously to a state which 
cannot be detected by the comparator. The figure 
further substantiates the relative desirability of each 
scheme. The fact that a portion of the reliability curve 
of the quadruplex and MPE scheme falls below that of a 
simplex system is not significant because this occurs at 
a reliability far below that which would be permissible in 
a practical application. It is interesting to note that in 
the region above 0. !•, the reliability of the quadruplex 
and PRS schemes is practically identical (equations 24 
and 25). 

Figure 8 further demonstrates the merits of redun- 
dant systems compared to a simplex system and indi- 
cates quantitatively what can be gained through the 
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various techniques. For convenience, unreliability in 
terms of failures per million is shown for both the 
simplex and redundant systems. In the reliability 
assessment and comparisons appearing in the following 
sections, the quantities are expressed in these terms. 



Figure 7. F.eliability Versus At for Various 
Redundancy Schemes 


REDUNDANT 
FAILURES PER 

million 



Figure 8. Redundant Failure per Million Versus 
Simp'ex Failures per Million for Various 
Redundancy Schemes 

Guidance and Control System Desc ription 

The Saturn navigation, guidance, and control 
system is completely self-contained within tne vehicle 
and utilizes onboard inertial sensors, computation, and 
control to direct the vehicle according to the desired 
path and end conditions. A digital command system is 
available as a part of the onboard astrionics system, 
but is not planned for use in the primary mode. 

The navigation function is accomplished through the 
use of acceleration measurements provided by acceler- 
ometers mounted on the space-direction-fixed stahie ele- 
ment of the stabilized platform. The resulting informa- 
tion is processed within the onboard digital computation 


system. The acceleration information is integrated to 
obtain vehicle velocity and position information. The 
current measured position information is used to con- 
tinuously calculate and combine the gravitational effects 
with the measured data to obtain space-fixed vehicle 
velocity and position. 

The guidanee function, which is the computation of 
the necessary maneuvers to satisfactorily reach the 
specified end conditions, is accomplished within the on- 
board digital computer system. To give the desired 
result, the implemented guidance equations must take 
into account various mission and vehicle constraints, 
one of the most significant of which is that of propellant 
consumption optimization. The equations programed in- 
to the onboard digital computer system represent a path 
adaptive guidance scheme, termed the iterative guidance 
mode (IGM), which fulfills the optimization require- 
ments and the guidance requirements for insertion both 
into earth orbit and injection into the lunar trajectory. 
The specific results of the guidance computation are as 
follows. 

1. Instantaneous required thrust direction express- 
ed as three Euler angles. 

2. Required time of engine cutoff to achieve the 
specified orbital conditions. 

3. Required time of engine ignition to leave earth 
orbit. 

4. Required time of second cutoff to satisfy the 
lunar trajectory end conditions. 

The required angular directions resulting from the 
guidance calculations are applied to the vehicle through 
the control system. In addition to responding to the 
commands of the guidance system, the control system 
must maintain stabilization of the vehicle attitude in the 
presence of various vehicle propellant sloshing, struc- 
tural bending, and load constraint;!. The elements of 
the control system required to accomplish this task can 
be divided into three specific functional areas: sensing 
of vehicle state information, computation, and vehicle 
torquing. In the Saturn V system, the vehicle state 
information required is that of attitude and rate. (On 
the Saturn I and in vehicles, additional info'-mation 
obtained th rough vehicle -fixed lateral accelerometers 
was required to obtain structural load relief. ) The 
attitude information is obtained from resolvers mounted 
on the stabilized platform gimbals. The inlormation on 
actual vehicle orientation from the resolve rs is com- 
pared in the onboard digit.it computer system with the 
desired orientation determ 'nod from the guidance calcu- 
lations, resulting in the desired attitude control com- 
mands. The three-axis attitude rate Information re- 
quired to accomplish vehn le stabilization is obtained 
from vehicle-fixed rate gyros. 

The control "computation" consists of the gain 
modification, filtering, mixing input attitude and rate 
information, and shaping of this information to provide 
vehicle stabilization in the presence of structural bend- 
ing, propellant sloshing, and other dynamic 
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characteristics. Routing of the control signals to the 
proper er.d element to develop the desired vehicle 
controlling torques is also part of this function. 

Two methods are used to develop the control 
torques in the Saturn V vehicle. Positioning of the pri- 
mary propulsion engines by hydraulic actuators is used 
to control pitch and yaw on each of the three stages. In 
addition, control about the roll axis is obtained on the 
first two multiengine stages by the proper differential 
positioning of the gim baled engines. Roll control on the 
single-engine third stage, and control of this stage about 
all three axes during coasting phases, is accomplished 
by an array of fixed direction thrusters. Pulses of 
thrush from these low thrust devices are commanded by 
the control electronics tc provide corrective control 
torques about the appropriate vehicle axes. 

The basic elements of the navigation, guidance, 
and control system are shown in block diagram form in 
Figure 9, which indicates the primary form of redun- 
dancy employed In each element. For a more detailed 
description, the system is broken down into the digital 
computer subsystem, the stabilized platform subsystem, 
and the control subsystem Each of these subsystems 
encompasses a number of hardware elements, with 
many pertormlng a varie.> of functions In the overall 
system. 

The major systems are broken down in some 
Instances to the "black box" level and in others to a 
specific functional level, depending on which breakdown 
is more convenient and approp iate to illustrate the 
application of redundancy. Although no attempt Is made 
to describe In detail the total application of redundancy, 
examples of the different types are cited and described 
in each subsystem. Where available, reliability num- 
bers are shown for the various modules in the suh- 
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Figure 9. Saturn V Guidance and Control System 


systems as well as for the total subsystems. The 
theoretical gain in reliability through redundancy is also 
shown In each case. Since the reliability assessments 
of various elements were conducted by different groups, 
the numbers may not be universally compatible. 

However, some adjustment of the failure rates has 
been effected where obvious discrepancies existed be- 
tween the numbers set forth In the various references. 

In spite of tnese adjustments, caution should be exer- 
cised In using Die reliability numbers presented, even 
though the numliers do Indicate In gross terms the rela- 
tive reliability of the various elements and subsystems. 
The prime intent is not to provide an accurate and inten- 
sive reliability analysis, but rather to illustrate the 
benefits of the various redundancy techniques employed. 

The simplified equations previously developed are 
used where [xissihle. In many instances, the simplifying 
assumptions made in the develoj ment of those equations 
do not apply; therefore, specific equations that apply to 
the narticular situation must t»e developed. 

For convenience, he module, subsystem, and 
system assessments are expressed in terms of unrelia- 
bility. Through this approach, the relative contributions 
of the various elements can Ik 1 mere easily portrayed. 
Additionally, with the simplifying assumptions made, 
the unreliability numbers <<l the various subelements can 
he added directly to obtain the total unreliability. 

As previously shown for highly reliable systems. 


it * At. 

This; approximation can be made with an error less 
than (At)*/2. 

In component or system operation in a particular 
application, a degradation factor to account for the 
effect of the particular environment must be considered. 
This is generally called the environmental adjustment 

factor, designated by k. Therefore It ** kAt. The 

unreliability numbers ace expressed as U kAt x 10 s 
indicating the number of failures per million flights. 
Note that the term "failures' as expressed here is in- 
tended to designate* component or system malfunctions 
or out-of- tolerance operation In a million llights, it 
does not indicate the number of vehicle or mission 
losses in a million flights. To obtain the latter, which 
is not covered in this analysis, ilic failure modes of the 
various elements and the effects of those failures on the 
vehicle ix-havior would have to lx- additionally con- 
sidered. Table II shows the k-factors for the various 
stages and the phase times used in deriving the unrelia- 
bility numbers. 
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Table 11. Phase Times and k- Factor for 
Various Stages 


receiver signals allowing memory alteration and ground 
control 
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Digital Compute r Sy stem 

The digital computer system developed for the 
Saturn V vehicle consists of two basic units, a launch 
vehicle digital computer ( LVDC) and a launch vehicle 
data adapter ( LVDA). The LVDC is the basic com- 
puting element in the vehicle with the capability of per- 
forming arithmetic operations such as add. subtract, 
multiply, and divide; it provides the intelligence for 
making logical choices. The LVDA is essentially the 
LVDC input/output unit and all signals i • and from the 
LVDC are processed in this unit. In additi m, it per- 
forms certain simple computational and logical opera- 
tions on data. The computer system is instrumental in 
all three phases of operation for the Saturn V vehicle; 
i.e. , it plays a major role in the automatic checkout of 
the vehicle before launch, solves the guidance equations, 
provides attitude correction signals and vehicle se- 
quences during the txiost phase, and assists in vehicle 
checkout during the orbital coast phase. 

The LVDC is a serial, fixed-point, stored program, 
general purpose machine with a basic clock of 2. o is Mil/. 
Four clocks comprise a bit time and 14 bits a phase 
time. The machine is organized to operate around three 
phases or cycles. For example, data may be lead from 
memory during one phase or cycle and operated upon 
during the next two cycles. Data words 2s bits in length 
(25 magnitude bits, 1 sign, and 2 parity bits) are used 
in computation. The memory, which contains from one 
to eight random-access magnetic core modules each 
consisting of 40!)(> data words, is arranged in such a 
manner that one data word ortwo instructions (each 
instruction contains a parity bit) may occupy one 2s-bit 
memory word. Special algorithms have been developed 
and implemented for multiplication and division; multi- 
plication is done four bits ata time anddivision is done 
two bits at a time The system utilizes microminiature 
circuitry where power and accuracy requirements per- 
mit. Where microminiaturization cannot be employed, 
conventional discrete components are used. 

During flight, the digital computer system inputs 
are (J) platform accelerometer outputs, (2) platform 
gimbal angles representing vehicle attitude . ( ID dis- 
crete inputs indicating vehicle functions such as lift- 
off. first stage cutoff, separation, second stage ignition, 
second stage cutoff, and engine out, and (4) command 


During flight, the digital computer system outputs 
are ( 1) steering or attitude correction commands, (2) 
discrete outputs commanding vehicle sequencing such as 
cutoff and separation, and (3) telemetry data words. 

40 bits each, at a maximum rate of 240 per second for 
monitoring trajectory parameters and computer system 
operation. 

Because of the critical functions performed by this 
system, every effort has lieen made to make it as relia- 
ble as possible. Many forms of redundancy have been 
incorporated into the system, which utilizes quadruplex 
components and circuits, and duplex. IMK. and I’llS tech- 
niques as well as overall system backups. The system 
represents one of the largest scale applications of re- 
dundancy employed to date. The I.VDC and LVDA form 
a complex system containing more than ‘*5,00(1 equivalent 
electronic components. Of this number, less than one 
half of one percent are employed in such a manner that 
a single component failure would result in a s\ stem 
failure. 


Figure 10 shows a simplified block diagram of the 
LVDC and indicates the redundancy techniques employed 
in that unit, with the corresponding unreliability indi- 
cated in each block. The fact that the' TMIt timing, and 
logic depicted in Figure JO is very much simplified is 
borne out when the TMIt organization of the LVDC is 
considered in any detail. For example, since the TMIt 
logic of the machine is considered to consist of seven 
functional modules, in the idealized case, it would be 
expected that 21 voters would be employed in the machine. 
However, because of the various feedback paths and the 
fact that each module has several output signals feeding 
various other modules, the idealized model cannot be 
employed accurately. For example, instead of 21 voters 
being employed in the LVDC timing and logic, approxi- 
mately 155 signals are voted on, giving a total of 305 
voters. The LVDA employs 237 voters in its TMIt logic. 


OSCILl ATON 


U -'6 


T MING Or Nf BATOR 
» LOGIC CMANNIl A 


- - -i 

Mt M;*r V 1 

Ml MONT MODULI 
* 

U- ?*00 


U*iS90 j 

. • • • 



M* MOBY M T '.'i > 

3 

V; MOB * MO C'L ! 

4 

timing GfNf baton 

*4 . MASS! f 

| j 

U*I3*0 

.“•I"" . 

u- *soo 


Mt M Hi M 
’ 

U»!»0 

Mt MOBY MCPULf 
6 

U-I390 

T MING GfNf BATON 
f% LOGIC CHANNIL C 

i 

Mr MOBY Mere l t 
T 

Mf M BY MODULE 

B 

U • 2900 


U-IJ90 

U* 1390 





DUPLE* 


Figure 1<>. Block Diagram of the Launch Vehicle 
Digital Computer 


10 


67-55 3 






Because of the relative simplicity of the basic 
2. 048 MHz oscillator (it contains only five electronic 
components) and the technical problems inherent in 
synchronizing multiosclliators, a simplex oscillator 
system is employed in the LVDC. The output of the 
basic oscillator is used to form the necessary phasing 
and clock signals in the timing generator. Each channel 
of the TMR logic contains its own timing generator; 
consequently, a failure of the timing generator results 
in a failure of that channel. The mOmory system, 
expandable in modules of 4096 words, 2' bits in 'ength, 
up to eight memory modules, is employed either in a 
duplex or simplex manner depending upon the criticality 
of the program being run. For instance, prelaunch pro- 
grams are simplexed while flight routines are duplexed. 
From Figure 10, ii is evident that the reliability of the 
LVDC may be approximated by 

P = (R ) (R.) (It ) (26) 

o l m 


where R q is the reliability of the simplex oscillator, R^ 

is the reliability of the combined TMR timing generator 

and logic, and It is the reliability of the duplex meni- 
al 

ories. The methods determining the reliability for each 
ol these will now be considered. 

The number of c* mponent parts in the system and 

their failure rate, the Saturn V mission time, and 

environmental conditions determine the unreliability of 

the oscillator which is U 16. 

s 

The reliability for the timing generator and logic 
cannot be determined so simply for reasons indicated 
previously. Any attempt to accurately compute analyti- 
cally the reliability of the timing generator and the com- 
plex logic it feeds, without making a great number of 
simplifying assumptions, would lead to a mathematical 
expression containing literally thousands of terms. 
Therefore, a method employing the Monte Carlo tech- 
nique, which is basically a technique of simulated 
sampling, has been devised so that the reliability may be 
approximated. 

Although the Monte Carlo technique is general and 
has been applied in many other fields, it represents a 
rather unique application in this particular field. Thus, 
a brief description of the basic procedures using this 
technique is in order; the evaluation procedures consist 
basically of three phases: 

1. With simulation techniques, generate a set of 
failed components 

2 Locate the computer subsystems containing the 
failed components 

3. Trace the simulated failures through the logic to 
determine their consequence. 

The first step consists of generating, by a random 
process, a set of failed comi«>nents. If an exponential 
distribution of time to failure is assumed for a 


component, the probability of failure for that component 
is 

R 1 - f" Xt (27) 

where t is time and A is the failure rat*' of the compo- 
nent. When the design contains N components of type I, 
the probability of failure becomes 

R - 1 - f N|X ‘ l (28) 

Solving equation 28 for t yields 

i ■ 

where t . is the time at which the i> 1 ^ failure of compo- 
ik 

nent type i occurs. In each trial a random number be- 
tween "0" and "1" is chosen and substituted for 11, and 
equation 2!» is evaluated. The result is the time, t ^ . at 

which the first failure of component typo i occurs. Then 

t , is compared to mission lime T il t , T, a failure 
ik lk 

is recorded, N. is reduced by one, and the process is 
repeated. As each t ^ is calculated, it is added to the 
sum of the previous t ,'s and the new total is compared 

1 K 

to mission time. Thi process is completed when the 

summation of the failure times exceeds the mission 

time, i. e. , St„ > T. 

IK 

Each of the l'*' components in the system is assigned 
a number. The system's functional com|x>nont that fail- 
ed at time t is determined by multiplying the random 

number generated by the total numlier of i components in 
the group; i.r. , the random numlier chosen gives IxiLh 
time of failure and com|x>nent that failed. This process 
is repeated for each component type in the system 

The second step consists of locating, w ithin the 
logic framework ol the machine, the component parts 
that failed. The third and final step con isLs of tracing 
the effects of the failed components, in the sequence In 
which they occur, u|*>n the TMR logic. II in time T, the 
total combination of failures did not result In a system 
failure, a successful trial resulted. After many trials, 
the reliability of the system Is then determined from 

p numlx-rjif successful trials 
total number of trials 

The unreliability of the LVDC timing generator and 
logic using simulated sampling is l ^ 10. Approxi- 

mately 20. 000 "games" were played to determine this 
value. The confidence interval, which can lie associ- 
ated with this estimate as a Inaction of the number of 
trials. Is determined by 

P = P * Z / P ( 1 - P ) ( 30 i 

a e cl _c e_ 

v m 
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where is the actual but unknown reliability, P p is the 

estimated reliability obtained from simulated sampling, 

Z is the confidence limit expressed in terms of stand- 
c 

ard deviations, and m is the total number of trials. 

From this, tile re is 90 percent confidence that 

0 < U < 50. 
r 

It is of interest to apply the simplified analytical 
technique derived earlier and to compare these results 
with those obtained from the Monte Carlo method. From 
the number of component parts in. a simplex system and 
their failure rates and a Saturn V mission, the unrelia- 
bility of a simplex computer timing and logic has been 
determined by Monte Carlo to be U = 2500. 

A voter for a logic module adds approximately 
25 percent to the number of component parts of that 
module; therefore, a simplex machine with enough com- 
ponent parts necessary for voters for one channel would 
have 25 percent more component parts than a simplex 
machine and would have a reliability given by 

„ -1. 25n\t 

R - e 

where nAt = In ( 1-2500 < 10' 6 ). The unreliability of a 
simplex channel with voters then is U 3120. If a 

simplex machine is divided into n modules, each of 

which has a reliability of R 1 n , and triplicated, the 
reliability of one trio as given by equation 17 is 

P = 1/2 [3R 1 " - R -i n ] . (31) 

Now, the reliability of a TMR machine consisting of n 
sets of triplicated modules is given by 



For the LVDC, since a simplex machine may be con- 
sidered to have been divided in seven equivalent parts, 
n 7, and R for each of the elements is 0. 996880 as 
previously derived, the unreliability for the entire TMR 
logic Is 

U =2. 
r 

Since in the ideal case it was assumed that the 
seven logic modules have equal reliabilities and that the 
logic was orgai lzed in such a manner to utilize 21votors 
(neither of which is true in practice) , it is expected that 
the ideal case would result in higher reliability than that 
obtained through simulated sampling. The more accu- 
rate result derived by Monte Carlo techniques for the 
I.VDC is U = 10, which is used in the subsequent 
assessment. 

The reliability of the LVDC toroidal core memory 
system may be found directly from component part count 
and failure rates using analytical means. Since a major 
problem in duplex systems often is failure detection 
mechanisms, it is of interest to note the type of failure 
detection employed in the LVDC memory system. The 
memory has two types of failure detection circuitry: 


odd parity cheeking and half select current monitoring. 

It is felt that parity checking will detect major failures 
in the sense amplifiers, cores. Inhibit drivers, memory 
buffer registers, and variable strobe gate-, while half 
select current monitoring will indicate major failures in 
the voltage and current drivers, decoupling circuitry, 
memory timing, and connection circuitry. Errors not 
determined by current checking, however, may be 
detected by parity checking. 

The reliability of the memory system may be found 
directly from the relationship 

N. 

P={R, + R,(1-R,)|A+(1-A) (0.5)]} c) (33) 

where Rj is the roliabi'ity of memory module 1 of a 
duplex pair, R. is the reMr.btlity of memerv modulo 2 of 
the pair, A is rntn cf Ldde - 1 ; detected I y current sens- 
ing to all failures, ( 1- V la i.’.ti cf fai'urca r.ot de- 
tect'. d by current sensing to all fa'lercn, a. id 11^ is the 

number of duplex pairs operating in series. Fruition 33 
infers that memo -*y 1 (s got 1 o that 1 •: rory 1 f. i 1 ■ hut 
2 is good an 1 that the failure i.-, d.-tr.et d L, tl e current 
sensing circuits or, if it fa net d 1 a t d, tl ere i ; a 
50 '50 chance that it will ! e 1 Herd up with parity « hack- 
ing. 

The reliability of a single memory module found 
from part count, generic failure rates, and Saturn V 
mission operating conditions is R 0.998610, r ; i from 
engineering design anaJvsls the chances cf a nondet.’ct- 
ablc failure ( 1 -A ) is 0.07.'! From equation 33, the un- 
reliability of an eight memory module configuration with 

a storage capacity of 16 000 du'.kx.cd voids is F 226. 

r 

In summary, th" unreliability’ of the I \7>r fo»- the 
Saturn V mission is the sum of the unroll; 1 I'iMp ; t >f the 
simplex oscillator, the TMR timing ami lo( '.\ a> i the 
four duplexed memory modules , i.e , TT^ 16 + 10 

+ 226 - 252. 

The reliability of the LVDAis not as straightforward 
as the LVDC because many varied functions rnt eigledwith 
the other systems, primarily the I VDC and platform, are 
performed in the 1 VDA. For e: ample, the I VDA power 
supplies are required for operating the I.VDC, pro- 
cessing vehicle attitude and veto: ity Ir formation, and 
issuing attitude correction comma-’ is Parts cf the 
I.VDA TMR logic are time shared and are required with 
various critical vehicle functions. The LVDA utilizes 
various types of redundancy techniques: duplex, TMR, 
PRS, as well as system backup. However, on'.v isolated 
types such as the I.VDA power supplies and the digital- 
to-analog converter subsystem arc discussed. All of 
these functions arc flight critical The reliability of the 
logic portion of the I VDA is found similarly to that for 
the LVDC The TMR logic of the LVDA has an accessed 

unreliability of U 10 for the Saturn V mission. 

' r 

Six power supplies in the LVDA, which supply dc 
power to the LVDC as well as the LVDA , are all duplex- 
ed. Figure 1 1 shows a typical power supply The dc to 
dc power converters are tied together through Isolation 
diodes. Should a converter fail low, the other converter 
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picks up the load. It Is imperative that a converter not 
fail high because the diodes Isolation between the two 
units would be worthless. The feedback amplifiers used 
with each converter are duplexed to minimize the proba- 
t'lity of this happening. One duplex system is functional 
provided the following condition is fulfilled. 


P = P • P + p • P + P • P 

h(low) h’ h h'(low) h h' 


i. e. , the output of converter h can be low and h' can he 
correct, or the output of converter h' can be low and h 
can be correct, or both outputs can be correct. Under 
the assumption that the chances of a feedback amplifier 
falling low are equal to those of it failing high (this is a 
valid and accurate assumption in this case' , the ex- 
pression fer a simplex |x>wer supply (one converter and 
two feedback amplifiers) falling low is 


p = p = i - a n 2 

h(low) h'(low) h f 

- 2 H H (1-R.) - R ( 1-R.) 2 
at 1 n t 


< 35) 


where 

R^Rj. 2 - probability that the converter 

and both amplifiers are good. 

< The ou'put of the converter 
Is corre :t. ) 

2R^Rj ( 1-Rj.) - probability that the converter 
Is good, one amplifier is good, 
and one has failed low. ( The 
output ol the converter Is 
correct. ) 

R^ ( 1-Rj) 2 - probability that the converter 

ts good and that both amplifiers 
have failed low. ( Th » output 
of the converter Is therefore 
high. ) 



Figure It. Typical LVDA Duplex 
Power Supply 


Now, the probability that the output of a simplex power 
supply Is correct Is given by the first two terms and is 

P. p u. =RJ<, 2 + 2RR (l-R,). (36) 

h h h f h f f 

Substituting equations 35 and 36 into equation 34 and 
simplying yields 

P I R R ( 2-R ) ) |2(1-R ) + R R (2-R )], (37) 
h f f n hi f 

From generic failure rates, it has lieen determined that 

R, 0. H99947 and H. 0. 9008*1 yielding U w 0 for a 
f h r 

duplex supply. In comparison, the reliability of a om- 

pletely simplex supply, i. e. , one converter and one 

feedback amplifier, is It R.R, which has an unreliabili- 

h t 

ty of U s = 132. 

Six supplies are used in tile LVDA system; four have 
an unreliability of 85 0, and two which do not have 

isolation diodes because of high current require ci 

have an unreliability ot II 5. The unreliability d the 
r 

complete LVDA duplexed power supply system I 
U r * 4(0) +2(5) 10. 

A block diagram of the LVDA dlgital-to-analog 
attitude correction conversion systi m i> shown in Fig- 
ure 12. The system accepts the a ttitu<1> ■ correction 
commands from the I.VDC and converts them to an ana- 
log form which is compatible with the control computer. 

It therefore plays a vital and critical function in the guiei 
ance and control of the vehicle. Tin reliability scheme 
employed is basically a PRS system with a reference 
channel being compared with that which is normally 
active. Two comparators are used in the system; one Is 
an accurate fine comparator while the other is a coarse 
comparator and compare- the outputs from the sample 
and hold devices and the output amplifiers. The block 
diagram of Figure 12 can lie further simplified to the PRS 
redundancy system shown in Figure 13. If lid ts done, 
tin prime, the reference, and the standby, units consi.-t 
essentially of the nine bit register, the ladder network, 
sample and hold circuits, and two amplifiers. The voter 
then consists ol Uic fine and coarse comparator. A 
single failure in the channel select switch results in a 
loss of redundancy. (Although in many cases, multiple 
failures can be tolerated, particularly In Ihe various sub- 
systems within the vchiclt , the basic ground rule used 
for subsystem design was toleration of one failure. ) Tin 
reliability of tin- system (tor ell three axe s) may lx- 
approximated ley the- expression derived earlier for this 
type eif redundancy ( equation 1^) hut must he modified to 
take into account the 1 single failure mode of the switch 
The' approximate' reliability is given 

P UR 3 - R 2 ) ( 1 -2R ) + R] R ( 34) 

v s 

where R is the' reliability eel a channel, R^ Is Ihe' relia 

bill tv of the vote' r or comparator, and H i the relia 

bility eif the switch. It has been e stimate'd that for a 
Saturn V mission, R 0.99i)i;is, it o. !»'.)!){* ei, and 
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R g = 0.999912 resulting in an overall digital -to-analog 

converter unreliability of U ( 99. In comparison, the 

unreliability of a simplex system is U g 352. The 

redundancy has consequently resulted in a decrease In 
unreliability by a factor of 3. 94. 



Figure 12. I.VDA Digital -To -Ana log Attitude 
Correction Conversion 



Figure 13. LVDA Digital-to-Analog Attitude 
Correction Conversion 


Because of the nature of digital systems, inter- 
mittent failures are much more predominant than hard 
or solid failures. Therefore, the ability to switch from 
the standby unit back to the prime- reference system has 
been incorporated in the converter and the I.VDC system. 
Since types of failures were not considered in the analy- 
sis, the reliability estimate is pessimistic from this 
standpoint. 

In the LVDA, the reliability accessment has dealt 
with isolated examples, mainly the power supply and the 
digital-to-analog converter. Two other examples, that 
of processing attitude and acceleration inputs, are 
covered later. Table III summarizes the reliability of 
each major subsystem of the two units, loth for the 
simplex and redundant case Also shown is the ratio of 


the probability of failure of a simplex unit to that of a 
redundant unit. This factor indicates to some degree 
what has been gained through redundancy. 

Table III. Summary of Unreliability of Simplex and 
Redundant I.VDC and LVDA 
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Stabilized Platform System 

The stabilized platform is the basic reference for 
the Saturn navigation, guidance, and control systems. 

The system provides a space direction-fixed coordinate 
reference frame which servos as a reference for the 
vehicle’s attitude. The stabilized element serves a*- a 
base for three mutually-orthogonal accelerometers which 
provide the information from which translaticnal velocity’ 
and position of the vehicle are derived. The stabilized 
platform system consist;; of an inertial platform, the 
associated electronics for internal stabilization and 
processing of output information, an electrical power 
supply, and a nitrogen gas supply. 

The ST12-1-M platform used In the Saturn V system 
is a three-gimbal device which allows unlimited rotation 
of the vehicle alxmt the pitch and roll axes. Rotation 
about the vehicle yaw axis (referenced to launch |x>siticn) 
is limited to ± tit) degrees, which is adequate ta accom- 
plish the Apollo mission. To accommodate missions 
requiring unlimited gimbal freedom about all three axes, 
the capability of incorporating a fourth gimbal has been 
designed into the system. On the thvoe-gimb.il p'atform, 
the order of the gimbals from the stabilized I ’Me outward is 
pitch, yaw, anil roll, referenced to the vehicle position 
at liftoff. Dual-speed resolvers used as angular en- 
coders on the gimbal pivot provide information from 
which the vehicle attitude is derived. Three slngle- 
degreo-of-frecdom gyroscopes provide the reference for 
the stable table on which the three pendulous integrating 
gyro accelerometers are mounted. Sigmal generators on 
the output axes o! the reference gyroscopes derive elec- 
trical signals proportional to disturbance torques about 
the mutually perpendicular axes. These signals arc 
amplified and shaped in the associated electronics and 
used to drive servo torque motors which maintain the 
Inertial gimbal space-cHrection-fixcd. 

The Inertial element of the reference gyroscope is a 
synchonous hysteresis gyro wheel having an angular 
momentum of 2. (> x l n G g enr s. The wheel is driven at 
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24,000 rpm from a 400 Hz excitation source. The gyro 
wheel Is mounted Inside a cylinder which serves as the 
journal of a gas bearing. The cylinder is suspended on 
the side and ends by a film ol gaseous nitrogen emanat- 
ing from a series of holes in the supporting sleeve. The 
signal generator, which senses the angulai displacement 
of the output axis, and a torque generator used in initial 
erection are coupled to the cylinder. 

Each pendulous integrating gyro accelerometer 
(three of which are mounted on the stable table) contains 
a single-degree-of-freedom gyro. The gyro motor and 
flywheel are shifted along the spin reference axis to 
provide the desired pendulosity about the output axis. 

The gyro is a synchronous hysteresis type similar in 
construction to the reference gyro but smaller in size. 

Jt has an angular momentum of 94, 000 g cm. /s at a 
wheel speed of 12,000 rpin and Is driven by the same 
400 Hz source that drives the reference ©/ros. The 
accelerometer gyro is also mounted in a gas floated 
cylinder. The pendulous cylinder is tree to rotate 
about the gyro input axis along which the acceleration is 
to be measured. The pendulosity causes a torque and 
therefore a precession proportional to acceleration along 
the input axis. The speed at which the gyro cylinder 
rotates is therefore proportional to acceleration and the 
position is proportional to velocity. An optical incre- 
mental encoder on the input axis is used to measure the 
velocity information. 

A significant portion of the platform supporting 
electronics is required to close the platform gimbal 
servoloops and the accelerometer servoloops. The 
servoloops use a 4. 8 kHz suppressed carrier modula- 
tion system with the signal generator outputs being 
amplified and demodulated on the gimbals of the plat- 
form. The resulting dc signal from the platform is 
routed to a separate electronics box where it is shaped 
by a lead-lag stabilization network, remodulated, ampli- 
fied, and demodulated to drive a dc power bridge which 
supplies current to the appropriate torquor. Another 
major function of the supporting electronics is shaping 
the accelerometer optical encoder outputs. The encoder 
sine and oosine waves are amplified and converted to 
square waves for processing in the digital computer 
system. This system as well as the gimbal readout 
system, both of which interface very tightly with the dig- 
ital computer system, i3 discussed in more detail later. 

The supporting subsystems Include separate power 
supplies which derive, from the vehicle 28 V dc buss, 
all ac and dc voltages necessary to operate the platform 
system. A three-phase 400 Hz sine wave and three 
single-phase square wave reference signals at 4 8 kHz, 

1. 92 kHz, 1.6 kHz, and 56 V dc are provided. Another 
supporting subsystem is the gaseous nitrogen supply 
utilized to float the gyro cylinders. Nitrogen is supplied 
from a 0. 056 m 3 (2 ft 3 ) storage reservoir pressurized 
to 20. 7 x 10® N m 2 (3000 psl). The gas is regulated to 
10. 3 x 10® N/m 2 d ( 15 psld) for use in the platform. 


subsystems. Instead of providing redundancy at the com- 
ponent or module level, it is more expedient in this case 
to provide a total system backup. The spacecraft is used 
to back up the Saturn launch vehicle guidance system 
during the orbital and translunar injection phases It 
will also provide a backup for the Saturn platform as well 
as the guidance computations performed in the digital 
computer system. The backup is limited to the later 
phases since it is not feasible to implement the guidance 
equations used to inject the vehicle into earth orbit tie- 
cause of limitations of the spacecraft computer memory 
capacity. Some consideration is being given to a second- 
ary simplified reference system within the launch vehicle 
(e. g. , a strapped-down system) to provide a backup to 
the platform during all flight phac< s Another approach 
being considered is the provision for manual boost/ ;■ 
control in the event of a platform system failure. In any 
case, the launch vehicle digital system musiconttnuc to 
function in all phases regardless of the guidar.ee system 
backup employed since sequencing, telemetry calibration, 
and other functions arc still pci formed by the lau.ich 
vehicle digital computer. 

In addition to the total system backup, redundancy 1- 
incorporated in certain critical portions of tin- platform 
where it can lb readily applied Primary examples of 
this are as follows: 

f The multispeed analog resolvers on the gimbal 
pivots, which are used to measure the vehicle angular 
orientation w ith respect to the platform 

2. Two channels of information are provided from 
each optical incremental encoder on the accelerometer, 
both the optisyns and signal conditioning circuitry are 
duplexed The two channels have equal resolution and 
provide a redundant channel ol information into the data 
adapter. 

3. Duplex redundancy is applied in portions of the 
circuitry of the power supply package used for excitation 
of the stabilizing and accelerometer gyros. 

Since items 1 and 2 involve very close Interfaces 
with the digital computer system, a detailed functional 
description of this portion of the guidance and control 
system, which includes some platform and some digital 
system elements, is covered here. The accompanying 
demonstration of reliability improvement through th° use 
of redundancy is also covered on a functional basis ra.her 
than as individual elements In separate subsystems. In 
the overall subsystem reliability assessments, however, 
the reliability of the Individual elements are included in 
their respective subsystems 

A block diagram of the multispeed resolver channels, 
including those portions of the digital computer sys cm 
data adapter used to process the Information and provide 
vehicle attitude correction commands , is shown in Fig- 
ure 14. 


Because of the problems Involved In providing 
redundant stabilizing gyros and other platform elements, 
the platform does not utilize the extensive redundancy 
found in some of the other guidance and control 
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The three resolvers, one for each coordinate axis, 
have iioth a 32:1 and a 1:1 w inding on the same magnetic 
structure. For the 32:1 winding, 32 electrical degrees 
Ci rrespond to one mechanical degree. The outputs of the 


resolvers are fed through successive platform gimbals 
by means of sliprings. The resolver excitation fre- 
quency ( 1016 Hz) is derived from the digital computer 
clock and fed to the platform. Two power supplies are 
used, and the system is organized such that no 32:1 and 
1:1 system in the same channel receives power from the 
same supply. Therefore, the system is arranged such 
that a failure in one resolver system or power supply is 
backed up by the other system. 

The outputs of the resolvers are fed to RC phase 
shift networks in the data adapter and then to crossover 
detectors (COD) which detect when each signal crosses 
zero going positive. This signal is then gated to an 
1 1 -bit counter in the data adapter. Crossover of one of 
the sinusoidal signals is used as a start pulse and gates 
the 2. 048 MHz computer clock to the counter. The other 
sinusoidal crossover is used to stop or turn off the 2. 043 
MHz counter. Therefore, tl e value obtained by the 
counter is directly proportional to the phase shiftbotwoen 
the two signals and is representative of resolver shaft 
position and vehicle attitude. Either a single or a double 
RC network is employed on the s.ngle speed resolver. 

The 32:1 system employs a double RC network resulting 
in an equivalent resolution of 64:1. The selection of a 
single or double RC network for the single speed system 
is under program control. The single network provides 
a whole value; however, in case of failure of the 32: 1 
S’Ttem. the resolution of the 1:1 system may be 
doubled (2:1) by employing the additional RC network. 
(For the 2:1 system to back up the 64:1 system, a de- 
crease in resolution by a factor of 32 must be tolerated. ) 



Figure 14. LVDA Glmbal Angle Processing 
System 

The multiplexers in the data adapter are duplexed 
and all resolver inputs are gated through each multi- 
plexer. The resolver to be read into the duplexed 
counters is selected by computer program. The output 
of each counter is routed to three (TMR) subtract and 
limit check circuits, which compare the counter read- 
ings within a predetermined range. The computer is 
alerted if the subtract and limit test has failed. A 
counter disagreement Indicates either a power supply, 
COD, resolver, or counter failure. A power supply 
failure results in multiresolver error readings which 


may be logically assessed by the computer program. 

When the subtract and limit test fails to determine if the 
failure is due to a counter, a pseudo- resolver signal, 
which is dependent on the computer program, is used to 
turn on the start and stop signal thereby setting a pre- 
determined value iA/lhe counter. If a failure does not 
occur in this test, it nay be assumed that the counters 
are good and that either a code or resolver error caused 
the disagreement between ihc two values. If the error Is 
not corrected within a prescribed pc: iod of time or with- 
in a given number of Iterations, the backup system is 
employed, 'f a failure occurs in the counter teat, the 
proper counter and serializer channel may be selected 
for further use. 

For a reliability analysis, this system may be 
further simplified as shown in Figure 15. Indicated in 
each block are the function- nr hardware grouped to- 
gether for this ann'ysls. Tl ■ reliability analysis of the 
system may be considered in three parts (Fig. 15). The 
first part uses noneonvent' mal duple -.it g end consists (if 
the resolver excitation sources, resolvers, platform slip- 
rings, and OOD'a. The second portion la made up of 
ennventinnaly duplexed input multlp) X 'rs counters, and 
serializers. The third part is the TMR subtract aod limit 
check circuits. The reliability of c.vh pa t may ho con- 
sidered independently of tho others, an 1 the roll ibility of 
the system is the product of the roll ibility of each part. 



Figure 15. Illock Diagram of Gimba! Angle 
Processing System 

For the unorthodox duplex po* , t'oa to function proper- 
ly, the following conditions must h ■ met 

Fj- E, ( Tj • T„- T 5 ) - one excitation source and three 
resolvers must be good, or 

E,- F.j ( Tj • T 3 Tj) - same as above except the other set 
of components are considered, or 

Ef E 2 [< Tj*T 2 ) (Tj*T 4 ) < Tj • T c lj - hnth frequency 

sou, ces and at least 
one resolver la each 
axis must be 
functional. 
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When these conditions are treated in detail, the relia- 
bility of tiie unorthodox duplex part is 

P R 2 |-R* + GR 5 - 12R 4 + OR 5 ) + 2 It K 3 (39) 
e t t t t e t 

where R is the reliability of one excitation source, and 

R is the reliability of plat! >rm sliprings. the gimhal 

angle resolver, and the two COD's required for each 
resolver output. 

The reliability of the second and third parts, found 
by applying equations in and 17, is 


P 2R 

- R 2 

(40) 

m 

m 


P 3 2 R 

- R 3 2 

(41) 


q q 

where R is the combined reliability of one multiplexer, 
m 

counter, anti serializer and R is die reliability of the 

q 

•subtract and limit check circuitry. Combining these 
expressions yields the attitude input system reliability 
given by 

P (R 2 (- R® + 6R* - 12R 4 + GH 3 ) + 2R -R 3 ) 
e t t t t e t 



Generic failure rates for the various components 
have led to the following subsystem reliabilities for one 
flight. 

R 0. 999973 

e 

It (R , ) tR„,„ j 2 (0.999914) (0.999994)* 

t resolver COD 

( 0. 999902) 

R 0.999879 
m 

R * 1 . 

q 

The unreliability of the system can then Ik- calculated 

to 1 h- II 1. In comparison, the reliabiliU id a simplex 
r 

system Is given l<y 

P (R ) (It .)* (R ) 
e t m 

and is found to yield an unreliability of II 442. 

I tili/ing redundancy in the system has therefore de- 
creased the unreliability of the system by 

II U 442/1 442. 

s r 

Not*- that in die system just described an additional 
decision technique has been used, i.e. , the eomput* i 
logical capability. Previous discussion has lx en confined 
to hardware redundancy; however, with this sc he me, the 


computer program and logical capabilities ascertain the 
system or redundant padi to Ik- used for further opera- 
tion. This type of decision element provides the greatest 
capability and flexibility; however, complicated programs 
In-come even more complex and the normal computational 
processes arc interrupted while Uiis task is performed. 

The second portion of the platform employing re- 
dundancy, the accelerometer readout channels , also 
interlace > very closely with the digital subsystem. As 
was the ease with die gtmbal resolver channel, these 
elements are also functionally described and the benefits 
of redundancy are demonstrated as a single system A 
block diagram of the system used in measuring and 
processing the acceleration information ts shown in 
Figure lit. The figure shows a slngli measuring chan- 
nel. Three identical channels arc employed to measure 
die vehicle acceleration along three mutually perpendic- 
ular axes. 



Figure lfi. Accelerometer Processing System 

The acceleration sensing device is a single di-gro - 
of-frecdom gyro unbalanced ,d«>ut its output axi.- \ 
torque is produced 1 1 \ die unbalance or pcndulo- ity which 
is proportional to tin need* ration to which the pi ndulon 
mass is subjected. Ill* precession angle ol die gyro is 
proportional to the integral of thi acceleration. An 
optical incremental encoder provides a nu i an ot 
inertial velocity with a resolution of 0. u., m ~ . 

Ihc encoder, which is mounted directly to thi gvo 
head "ti the platform, contains lamps, mirrors. 1* n 
photon Its, and amplifiers I'hc lamps are excihd by 
a > V II/. supply I rom die platform system. I ight I rum 
the lamps, which arc equally spaced around the periphery 
id th< encoder, is reflected from I hi mirrors trough 
lenses and passes through two glass di cs. F. ills* has 
deposited on it equally pact 1 opaque lines Mirrors art 
used to reduce the number of light bulb: required One 
<li.se is fixed while thi others rotate. The light input t*> 
each pair ot photocells or di* Input signal to thi ampli- 
fiers approximates sinusoidal fun* ' ion- as one ol tic discs 
rotates iclativ* In Iht other. The photocells arc con- 
nected such that in ixiimim sign al pickup in curs on urn 
photocell while the other photocell pickup 1 - minimum and 
vice versa Fffi-ctlvi Iv, "lit- pair ol th. photo*-* II.- 
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generates the positive portion of the sine wave while the 
other pair produces the negative portion of the wave. 

From the amplifier in the encoder on the stable element, 
the signal is fed through the three platform gimbals by 
means of sliprings to the accelerometer signal eondi- 
uo.«.r unit where the signal is further amplified and 
clipped to obtain square waves. 

Two signals (one sine and one cosine) for each chan- 
nel arc feil to the data adapter. These signals represent, 

!n gray code, incremental velocity Inputs. One sine 
wave and one cosine wave are processed in the data 
adapter logic to give four velocity increments, each in- 
crement representing a change in velocity of 0,05 m/s. 
Before this is used by the computer system, it is con- 
verted to a binary number. After the gray code to binary 
conversion, the 0. Oam/s incremental inputs an summed 
in recirculating register in the data adapter. The 
register is 111 bits plus sign; therefore, a velocity ot 
2 'I h m s can lx* accumulated before it overflows This 
value is read into the computer approximately once per 
second, and the entire value velocity of 2(> bits stored in 
computer memory is updated. 

I igurc 17 indicates the accelerometer readout 
system organization from a reliability standpoint. The 
2<> V do and 5 V 400 H/. power required in the encoder 
amplifiers and for light bulb excitation is simplex. The 
.ullages to tile accelerometer encoders and signals from 
th platform to the I.VDn are fed through platform slip- 
rings Each block to the immediate right of the power 
supply consists of the accelerometer encoder (made up 
of lamps, photocells, an amplifier , and platform sliprings), 
amplifiers, and signal conditioners located in the plat 
form electronics The output of each block consists of 
two signals, a sine and cosine wave, which are liece.s try 
to obtain the velocity increments in one axis. (Although 
magnitude can obviously be obtained from one signal, 
two signals are necessary to determine direction. > Each 
part of the gray code to binary conversion is unique to 
each oi these signals and will be lumped with the* block on 
Its left for reliability analysis After < inversion to gray 
code, two accelerations in a different axis arc stored to- 
gether in a register in a glass delay line as indicated in 
the figure. One of three delay lines can I ill without 
resulting in a s\.-tcm failure: however, other combi na- 
tions of aeeeleromc ter or signal condition failures can 
result in a system failure. The system Is rather 
complicated to analyze; however, the folio", in;; general 
conditions apply: 

1. With a failure in either the compare and Incre- 
ment logic, and or one delay line, one of the other 
accelerometer signals not associated with the billed 
logic or delay line can be lost without a sy. t m failure; 
t.r , if in Figure 17 the top channel delay line is lost, 

X, and V are lost. A failure In either of the 7. acceler- 
omet r inputs can be tolerated, but a failure In either 

X or Y| result- in i system failure. Similar reasoning 
i appropriate for each of the other channels 

2. With all inclement logic and the three delay lines 

functional, only one accelerometer signal m each of the 

th rc e axis is required 



Figure 17. Accelerometer Processing System 


The reliability of that part of the system between the 
power supplies and the input multiplexer is given by 

p :m* (i-n.) it , 1 (2R, -it,*) 

i i k k k 

+ It 3 ( - It, 6 + bit, 5 - 1211 1 + H|t 3 ) (43) 

I k k k k 

where It. is the reliability of one channel of logic includ- 
ing increment logic and the delay line, and R is the 

reliability primarily of the accelerometer encoder and 
signal conditioning circuitry although it also includes 
platform sliprings, isolation ampliliors, and gray code 
to binary conversion logic. 

The input multiplexers are conventional TMR and 
from expiation 17 have a reliability given by 

3R It 3 
_ m m 


where advantage has been taken of failures In opposite' 

directions. It i Ihe reliability of a simplex multi- 

m 

p lexer. 

The reliabilitv of the complete redundant system 
then Is given by 

P lit 1 |3H* ( 1-R ) R, 1 (211, -It, 2 ) 
e i i k k k 

* It 3 ( - R * + fill, 5 - I2lt, 4 + HR, 3 )! (45) 

i k k k k 



where It Is the reliability of the 2u V and 5 V excitation 
e 

source.- and inelud> s those sliprings necessary to get 
power to the encoders, and all othi r quantitii s are as 
previously defined. Cicneric failure rates anil subsystem 
analysis yield tm following reliabilities for those terms 
in equation 45. 


1 " 


67-55 3 



R 0. 999966, R =0.999998, R, =0.999510, and 
C 1 K 

R 0. 999999. Kvaluution of equation 45 using these 
m 

values yields a total system unreliability of - 35. 

A simplex system would have a reliability given by 

P = (R ) R*R*R . ( 40) 

e k i m 

Using these subsystem reliabilities results In a simplex 
unreliability of 1511. 

Comparing the unreliabilities of the redundant and 
simplex systems indicates a gain factor of 43. 2 over the 
simplex system. 

Note that the reliability of the stable elements and 
the accelerometers was not included in this analysis. 
Only that part of the system used in processing acceler- 
ometer information was included. Since the acceler- 
ometers are simplex, an accelerometer failure could 
result in a system failure. 

The value of the computer in recognizing failures is 
further illustrated in this system. The computer system 
reads both the prime acceleration and its backup, i. e. , 
X, and Xj, etc. , and performs a reasonableness test 
be fore either is used in the solution of the guidance 
equation. The computer subtracts the two values stored 
in the delay lines to determine if th» values are consis- 
tent or In agreement. If they compare within reasonable 
limits, either value may bo used. If a difference exists, 
the computer then compares each value with previous 
values to determine which delta value is more reason- 
able. The velocity profile ol the vehicle can lie approxi- 
mated w ith a fair degree of accuracy through simulations 
before flight, and maximum delta velocities expected be- 
tween successive readings can be determined within 
reasonable limits. 

The third example of redundancy within the platform 
system Is the ac power supply. Although a portion of the 
circuitry is simplex, duplex redundancy is employed in 
the oscillator and frequency divider < ireuitry. 

From the primary 2 m V' dc vehicle power source, 
the power supply derives the ac power to drive the gyro 
wheels and provides the excitation voltage tor the gimbal 
synchros and resolvers. A simplified block diagram of 
the power 3upply is shown in Figure is. 

The power supply uses a quartz crystal oscillator 
as a reference. By frequency division, temperature- 
stable square waves of 19.2 kHz, 1.8 kHz. 1 . 92 kll/, 
and 1.6 kHz are derived. The buffered 1.6 kll/ and 
1.92 kHz square waves are used as reference signals 
for the platform resolvers. The 4.8 kll/ output is 
routed to the platform electronics assemble where 
it is utilized in the platform and accelerometer stabi- 
lizing circuits. The 4.8 kHz square wave is also 
used as the reference for a cyclic register, which pro- 
duces six push-pull 400-Hz square wave outputs in 36- 
degree increments. The output of this circuitry is 


transformed and filtered to provide the 3-phase 400 Hz 
wine wave (lower which drives the platform gyros. 

As indicated in Figure 1H, the oscillator, frequency 
divider, and cyclic register circuits are duplicated. The 
signal from each channel is fed U> the failure detection 
and switchover circuitry. Both of the duplicated channels 
are energized, with only one actively controlling the 
power supply. Any lallure in the active oscillator circuit- 
ry causing a detectable loss of output voltage will ri -ult 
In an automatic switchover to the standby section. 
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Figure 1 m Platform AC Power Supply 


To portray the benefits of the redundant circuitry on 
the overall power supply reliability, a simplified relia- 
bility model is shown in Figure 19. The reliability of a 
single channel of thi redundant portion of the system is 
R i> 999-845 Applying equation 9 to the duplex redundant 
oscillator section yields P - 0. 999999 and l - 1. The 

rp 

equivalent unreliability of the various segments of the 
power supply Is indicated in Figure 19. Considering the 
duplex oscillator anil adding the unreliability of th" sim- 
plex elements results in U l’ * U 2 ♦ 356 

r sp rp 

♦ 11 ♦ 1 370. 



Flgun I 1 '. Platform AC Supply 
( Simplified Model) 


II the total power supply including the oscillator 
was simplex, thi unreliability would be 

1’ 2 ♦ 155 ♦ 356 ♦ 11 - 524. 

s 

The overall benefit of redundancy in this case is th» 
reduction of the uiirilinbiliU by the following ratio. 


19 





u 

s 
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r 


524 

370 


1. 42. 


The relative improvement is considerably ixdow that 
obtained in w <ne of the otiier subsystems because a 
j;„..:f«eant iwrtion of the power supply circuitry could 
not readily Ik- made redundant. 

To demonstrate the overall plaUorm system reli- 
ability, the system is assessed by individual elements. 
The total system consists of six major elements: an 
inertial platform, a platform electronics assembly, an 
accelerometer signal conditioner, an nr power supply, 
a . >0 V dc power supply, and a nitrogen gas supply. A 
block diagram indicating the interconnection of these 
various elements is shown in Figure 20; the unreliability 
of these elements for the 6. 8 hour mission is indicated. 
The numbers shown include the reliability improvements 
in those various elements where redundancy is applied. 

As ~h' wn. the total unreliability of the system including 

the redundant elements is U 13,531. II the system 

r 

v as totally simplex, the following increase in unrelia- 
bility in the three segments previously discussed would 
result. 

Reso'vcr channels: U (.3x 86) 258 

s 

Accelerometer readout 

channels: U (3* 4*8) ■ 1464 

s 

Ac power supply: U = 155 

s 

Total increase 1877 

Therefore, the unreliability of a totally simplex platform 
system would bo U - 13,531 + 1*77 15. to*. The over- 

all system improvement ratio resulting from redundancy 
is therefore 


L s 15,408 
U f 13,531 


1. 14. 
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Figure 20. ST124-M Platform System 


Figure 21 ls a schematic of the guidance system 
indicating that the launch vehicle platform system is 
backed up by the spacecraft system A failure of the 
Saturn launch vehicle platform is sensed hy the digital 


system by comparing the measured glmbal angle rates 
with nominally expected values. When an unreasonat e 
signal is read, the digital system operates a light on th<‘ 
astronaut's control panel. In addition, the astronaut 
has displayed information derived from various space- 
craft sensors, as well as communications with ground, 
from which indication of the system performance can be 
derived. If a failure or degraded performance of the 
launch vehicle system is Indicated, the astronaut ran 
switch the spacecraft guidance signals directly into tin- 
launch vehicle control computer. This implementation 
does not provide a total backup for the digital system as 
well as the platform: the digital system must eontlnui to 
perform many other vehicle functions. 
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Figure 21. Platform Backup System 

To obtain an approximation of the iienefit derived 
from this baekup arrangement, it is assumed that the 
two guidance systems are equally reliable and that the 
sensing and switching mechanisms are simple and relia- 
ble as compared to the overall systems. The unrelia- 
bility of tin- launch vchi -le platform system can In- 
broken down as ( 1) through earth orbit injection, 

U 8645. and (2) balance of launch vehicle mission, 
ra 

IJ . 4886. 

rb 

Applying equation !) to (' yields 
rh ' 

<U , ) 2 (4**6 x to -6 ) 2 x 10 e - 24 

rh 

where (U , ) 2 is the unri liability of the platform systems 
rb 

during the period when the launch vehicle platform 1> 
hacked up by the spacecraft platform, i. c. , from orbital 
injection to completion ol the mission. With guidance 
backup applied only during the orbital and lunar infec- 
tion phases, the platform system unreliability conse- 
quently is 

r U - (r , ) 2 = 8645 - 24 866!* 

r ra rb 

where F is the unreliability of the launch vehicle plat - 
ra 

form through orbital injection 

Other backup approaches that would further reduce 
the unreliability hav» also been mentioned previously. 
The possibility exists that platform system backup could 
be provided throughout the launch vehicle flight by a 
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.simplified strapped-down guidance system, or by relying 
on the astronaut to manually control the system In the 
event of failure. In the latter case, the astronaut would 
monitor vehicle angular and translational Indications 
provided in die spacecraft to steer the vehicle into orbit 
with a degraded accuracy as compared to die primary- 
guidance. 

If the same simplifying assumptions as with die 
spacecraft guidance backup system are made (1. e. , 

P (backup) P (primary), ..nd P ( sensing and switching) 
0), the following unreliability results from equation i). 

U - (U , ) 2 = ( 13,531 x 10~ 6 ) 2 •< 10 s = 183 
r rab 

where (U , ) 2 is the unreliability of the system when the 
rab 

launch vehicle platform is totally backed by another 
system during all phases of launch vehicle operation. 

A resume of the platform system unreliability and 
the benefits of the backup sch -mes are shown in Table IV, 


Table IV'. Platform System 



u 

r 

u 

s 

U /U 

s' r 

| Launch vehicle system 

13,531 

15, 408 

1. 14 

\Wth backup out of orbit 

8,669 

15,408 

1. 77 

| With proposed total flight 

183 

15,408 

84. 30 

backup 





which indicates that a very significant reduction in un- 
reliability in die platform system can i>c obtained only 
by providing a backup throughout the total flight. There- 
fore, several total backup approaches arc being pursued. 

Control Sy s tem 

Fora logical functional description and practical re- 
dundancy application, the control system is broken down 
as attitude rate sensing, multiengine (S-IC and S -II) 
stage propelled phase control, single-engine (S-1VB) 
propelled phase control, and S-IVH coast phase control. 

The rate sensing sysU m Is composed of two boxes 
containing the rate sensors ( the rate gyro package) and 
the associated electionics ( die control signal processor 
package). The rate gyro package contains nine rate 
gyros so arranged that angular rale ainut each of the 
vehicle axes (pitch, yaw, and roll) is sensed by three 
separate instruments; thus three separate .sign als, 
independently derived, arc available for each axis. The 
individual rale gyros arc slngle-degre-e-of-f re-cdom 
instruments containing a spin motor which operates at a 
synchronous speed of 24,000 rpm and has an angular 
momentum of 30,000 g enr/s. Angular rates about 
the input axis, wMch is aligned wilh the vehicle pitch, 
yaw, or roil axis depending on the case mounting direc- 
tion, are sensed by a 400 Hz mierosyn pickoff that is 
electromagnctically coupled to the gyro glmlial. The 
output of the mierosyn is proportional to the vehicle an- 
gular rate about die input axis. The mierosyn outputs, 


one from each of the three instruments in each axis, are 
fed in parallel Into the control signal processor. Nine 
demodulator modules, three for each axis, receive the 
rate gyro error signals. Kach demodulator module 
amplifies the input signal and provides a plus or minus 
dc voltage proportional to the ac Input amplitude. 

The power for die rate sensing system Is obtained 
from three separate 28 V battery supplies over three 
busses. Three static inverters in tile control signal 
processor supply the 20 Vrms 400 Hz power to the rate 
gyros and demodulators; likewise, three dc (lower cir- 
cuits supply the necessary 60 volts to the demodulators. 
Kach primary (lower buss with its associated inverter 
and dc (lower circuit suppHes three gyros and associated 
electronics; one in each ol the pitch, yaw and roll 
groups. 

The rate sensing utilize s die HHS form o! redundan- 
cy. A simplified diagram of one channel neglecting 
power supplies is shown in Figure 22. The rate signal 
outputs from the primary command demodulator and the 
reference demodulator are sent to a comparator, which 
consists id two diiierential amplifiers, an amplitude 
sensor, and a relay driver. II dir difference between 
the primary and reference channels exceeds t preset 
level, the comparator circuit operates relays which 
switch the primary channel out ot operation and si h 
stitute the standbv channel 'n to the primary command 
position. Thus, if a malfunction occurs in either dir 
primary or reference channels, die standby channel will 
be substituted. II a malfunction occurs in thi standby 
channel with, the other channels performing properly, no 
switching occurs, Hie- dillcrencc level, at which the 
circuit switches ( 1 65 deg/s), is determined from com- 
promise considerations of hardware tolerance character- 
istics and expected vehicle motions. The reference 
channel serves solely as a reference and is never used lo 
provide the rate command to the remainder of the system 
The HUS redundancy as implemented in this subsystem 
does not provide the capability of switching back during 
flight to the primary channel aftei the standby channel 
has been substituted. Such an arrangement causes the 
subsystem to revert to an equivalent simplex system 
after a single discrepancy, even d it is transient in 
nature. A multiple sw itching capability such as ih it 
utilized in the digital system would lx- more reliable, 
tint would also tie more difficult to implement In an ana- 
log system. 


The reliability assessment of the individual blocks 
shown in Figure 22 Is 


H (H, 

ilemod) 


<I< , ) 

rate gyro 


( 0. ( 0. 99X453 ) 


0 9! Ik 37 2 


H 0. 9999:; 1. 
v 

These numbers are applicable to the total (light time , 
since- tiic rale sysU m must function throughout flight 
Apply mg these- numbers in e<|uation is for the- Hits system 
yields i* (». !>fi*.*‘.< , .*4 ; eir. cxprcsscil in terms of malfunc- 
tions per million flights, l ; i . i'lie- numbers shown in 




21 



Figure 22 express the unreliability of the individual would npplv. Therefore, the improvement through redun- 

channels of the PRS system. For the equivalent simplex danc.v is U /l 218. 
system, 1G28. 



TO CONTROL 
COMPUTER 


Figure 22. Attitude Rate System 
(Single Chanrel) 


If the rate control system was composed of three 
uncoupled control axes, the unreliability of the total 
system could obviously be obtained by multiplying the 
above reuundant unreliability (U ) by three. The 

thiee axes are Independent except for the internal 
power supplies. If the internal power supplies are con- 
sidered, however, the treatment is not quite so straight- 
forward since each of the three |>ower supplies drives 
one channel in each of the pitch, yaw, and roll axes. A 
simplified block diagram of the complete three-axis 
system with the power supply interconnection arrange- 
ment is shown in Figure 23. The expression applicable 
to the total three-axis system shown is 


R = R * i < R 3 — R* ) ( 1 - 2R ) + R) 
e v 

t 3 ( 1-R ) It 2 RR l < 1— R ) - R ( 1-2R )] 
e e v v v 


(47) 


where It - reliability of one of the three power supplies 

(inverter and GO V dc supply, combined) and the other 
terms are as previously defined. The first term in the 
expression represents the probability of all outputs being 
good when all three power supplies are assumed to be 
good. The second term represents the combination of 
properly functioning situations which result when the 
power supplies are assumed to fail singly. When two or 
more ixiwer supplies arc loot simultaneously, a failure 
results in either pitch, yaw, or roll. In equation 47, 

It (R, ) (R, ) (0. 999897) (0. 999915) 

e inverter dc supply 

0. 999812 


and R and R^ are as p iviously indicated. 

Fcr the total subsystem, P 0.999980 and 

U 20. If the system was simplex, U 4972 
r s 


RATE GYROS 


COMPARATORS 



Figure 23. Attitude Rate System 
(All Channels) 

The vehicle attitude rate signals derived in the sub- 
system, as well as the desired v< hide attitude derived 
from the stabilized platform and digital computer, are 
utilized to direct and stabilize the vehicle. The Might 
control computet processes these input signals and 
derives in an an. dog manner the appropriate command 
signals for the gimhaled engine actuators and auxiliary 
thruster valves to torque the vehicle as required. Con- 
trol torques, on the first two stages (S-1C and S-Il) arc 
derived by positioning the four gimhaled engines on each 
stage. The control torques for the upper stage (S-IVB) 
arc obtained uy glmbaling the single main engine and 
activating the six fixed-direction auxiliary engines. The 
two techniques are different in basic layout and arc 
discussed separately. 

A layout of the control system of the multiengine 
stages is shown in Figure 24. There are six inputs to 
the control computer, an attitude and attitude rate foi 
each ol the three axes. These signals are individually 
scaled, filtered, and then routed to the appropriate 
servoampllfiers which drive the engine actuators. The 
elements of particular interest in this chain are the 
filters, or shaping networks , the servoampllfiers, and 
the sorvoa tuators. The characteristics of each shaping 
network are those required to satisfactorily provide the 
required stability margins, biking into account the vehi- 
cle structural bending, propellant sloshing, and transfer 
functions of the remainder of the guidance and control 
system. In this module, compensation is made for 
variation between individual vehicles and individual 
missions. Fxtensive analysis is required to derive the 
shaping networks for each particular mission. This 
particular module, along with its associated isolation 
amplifiers, is simplex in each of the two multicngine 
stages. The simplex approach was chosen In this case 
for two reasons. First, since the mission time of each 
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multiengtne stage is relatively short in duration and the 
shaping networks are composed of only a few components, 
the predicted reliability is high even for the simplex 
version. The second reason is one of engineering com- 
promise to conserve weight and space. Although simple 
in configuration, the networks are bulky compared to 
other modules of the control electronics because of the 
large size of some of the electronic com[>onents (capac- 
itors and inductors) required to accomplish the neces- 
sary' shaping at the low control bending mode frequencies 
in the range of 0. 5 to 5 Hz. 


SFKVOAMOt (FIT'S ACTUATORS 



location and, therefore, the gimbal angle of the attached 
engine. The entire system is essentially a three-stage 
hydraulic power amplifier. In addition to providing the 
necessary |K>wer amplifications and conversion, ihe 
servoactuatur must also meet certain dynamic res|»onse, 
load damping, and stiffness requirements. These fea- 
tures are provided by hydraulic pressure feedback and 
shaping within the actuator. Ihe servoactuator also 
employs the principle of mechanical feedixtek, which 
improves reliability by eliminating the need for actuator 
position information to be electrically sensed and fed to 
the control computer over long lines through multiple 
interfaces. The feedback mechanism converts the 
rectilinear motion of the actuator to a force which 
counteracts the electromotive force of the input signal on 
the first stage of the servovalve. 
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I'igure 24. S-IC or S-II Stage Control System 

Each servoamplifier is composed of a magnetic 
mixing amplifier, followed by transistor stages which 
provide the necessary power gain. A number of inputs 
are tn each magnetic amplifier which is the point in the 
system where the attitude and rate signals from the 
appropriate axes are combined. The various Input sig- 
nals Into the magnetic amplifier are galvanically 
isolated from each other since each is applied to a sepa- 
rate winding. The excitation signal for the magnetic 
amplifier is derived from a chopper-stabilized inverter 
which converts the dc source* to a one kHz signal. The 
outputs of the eight servoamplificrs drive eight corre- 
sponding servoactuators which position the four gimbaled 
engines as required. These hydraulic servoactuators 
and the associated fluid supplies make up the other major 
elements In the multiengine control system. The hydrau- 
lic systems of the S-IC and S-II are designed dlff rently 
to satisfy the individual stage requirements . 

A simplified schematic of the S-IC hydraulic servo- 
actuator is shown in Figure 25. The servoactuator 
receives from the servoamplifier a.: electrical signal 
which represents the desired engine (Xisltion. The 
electrical signal is applied to the servovalve torque 
motor, causing a pressure differential to exist lx.- tween 
two orifices. This pressure differential positions a 
spool which in turn regulates the flow In a manner to con- 
trol the position of a second s|xio!. The flow regulated 
by this second spool determines the actuator piston 


Figure 25. Schematic of S-IC Servoactuator 

The actuator has a stall loadof 507, 000 N ( 114, 000 lb) 
which is cquivalt nt to i torque of SlO.OOi) Nni (000,000 
ft lb) as applied to the gimbaled engine. The expected 
operating torque range is 540,000 Nm and below; the 
major torques to lx‘ overcome are contributed by pro- 
pellant duet loads and a thrust vector which does not 
pass through the center of the engine gir ibal bearing. In 
the presence of these and other loads, tuc actuator can 
position the engine through an angle of *5. 2 degrees at 
a rate of 5 deg s. 

The fluid supply for the S-IC servoactuator is HP-1 
fuel taken directly from the turhopump which also supplies 
the main engine. This makes an extremely simple and 
reliable onUiard hydraulic supply since only filters and 
interconnecting ducting must ix- added to the propulsion 
distribution system . The individual gimbal systems are 
independent ix-e. use thi turbopump on each engine fur- 
nishes the supply for the actuators on that engine. 

The S-II servoactuator is functional ly similar to the 
S-IC servoactuator although physically much smaller. 

The hydraulic flow rates required to position the engine 
are much lower, so only two stages of hydraulic ampli- 
fication are required. Mechanical feedback, pressure 
feedback, and hydraulic shaping arc also employed In 
this actuator. The S-II actuator has a stall load of 
202,000 N ( I5,50o Iht . The maximum load expected 



to occur during flight is 133,000 N (30,000 lb). The 
S-II (J-2) engine is gimbaled through ,.n angle of *7. 3 
degrees at a rate of 10 deg/s. 


R = ( R . . . ) (R . . ) (0.009007) (0.090424) 

electronics actuator 


0. 999301 


The S-Il fluid supply is different from the S-IC in 
that a closed high-pressure system is utilized. The 
hydraulic power source is a pump driven by the turbo- 
pump shaft on each gimbaled engine. The other major 
components in the fluid supply are an accumulator, which 
supplies How to supplement the main pump during periods 
of peak demands, and a low flow auxiliary pump. 


resulting in P 0. 999907 and 3. For the simplex 
portion of the electronics, 

R=(R ) (R.) (0.999953) (0.999976) 

0. 099929 


To illustrate the reliability improvement afforded 
by the multielement control on the first two stages, a 
block diagram of one-axis control neglecting the hydrau- 
lic supply is shown in Figure 26. The case illustrated is 
S-10 or S-ll pitch control; the shaping networks and 
associated amplifiers are simplex. The servoampliflers 
and actuators are representative of the inherent MPK 
redundancy. 
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Figure 26. S-IC or S-II Stage Pitch Control System 

If one element of the MPK configuration can fail 
without a loss of the mission, the unreliability is 
dramatically reduced compared to a system requiring 
all elements to function. This capability can be designed 
into a system by a certain overdesign as compared to a 
nominal failure-free situation. For instance in the 
gimbal system under discussion, an additional gimbal 
angle and gimbal rate capability must be provided. 
Structural and aerodynamic aspects must also be consid- 
ered. During certain times of flight and under certain 
eombinatijns of adverse conditions, the S-IC and S-ll 
stages cannot be controlled with a failure in one element 
of the MPE configuration. In a precise analysis, the 
probability of loss of mission lr. the event of a failed 
channel during the various flight phases would have to be 
considered. The capability of maintaining control when 
a channel is lost exists during an appreciable portion of 
the flight; however, the simplifying assumption is made 
here that MPE redundancy exists throughout. With this 
assumption, the reliability of the MPE portion of the 
subsystem for the S-IC stage can lx- found from equation 
21, where 


and U =71. Adding the simplex and redundant |X)rtions 
sp 

yields U =U +U =71 + 3= 74. 

J r sp rp 


The probability of failure for the simplex elements 
and individual parallel elements is shown in Figure 26. 
If all elements must function properly (i e. , if no in- 
herent redundancy exists) . the unreliability is found by 
adding the unreliability of all el; ments; thus 
U = 47 + 24 + 4(33 + 57G) 2507. 

3 


The layout for the yaw channel control is similar to 
that for pitch. Except for a slight difference in th ■ shap- 
ing network;;, th" circuits for th" tv. > channels ar • iden- 
tical. As sh.nvn in Figure 27, the roll signal i mixed 
with the pitch and yaw signals in all eight < her; . The 
applicable unreliability numbers arc also : hown. In 
addition to the numbers developed, Tabic V s:h -.vs the 
unreliability of the complete S-IC pit; h, yaw , mi roll 
control system (eleetronlcs plus actuators) for th • 
implemented redundant system as well as a corresponding 
simplex system. 
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Figure 27. S-IC or S-II Stage Control System 
(Simplified Model) 


The hydraulic fluid supply systems have not been 
included in this assessment. The* layout of the S-IC and 
S-II hydraulic systems is such that the fluid supply 
attached to each engine drives the pitch and yaw actuator 
of that engine. A block diagram of the overall stage 
gimbal system and the unreliability of the individual 
blocks is shown in Figure 2s. if a loss of one MPE 


24 


67-553 








channel In both pitch and yaw can occur simultaneously 
without loss of control, which Is consistent with the 
assumptions previously made, the capability of loss of 
one fluid supply out of the four also exists. Since the 
general equations cannot Lie applied directly to a multi- 
element system having this interconnection arrangement, 
a specific equation has been derived for this multi- 
element layout. With the assumptions stated, the follow- 
ing expression results: 

P = R 8 R 4 + 8H 7 ( 1-R ) R 4 
j w j j w 

+ 4R 3 ( 1-R ) R. s + 1G< 1-R ) 2 R 8 R 4 (48) 

w w j j j w 

+ 8( 1-R,) H. 7 ( 1-R ) R 5 
j j w w 


where li = Individual actuator-servoamplifier reliability 


as previously indicated and R^ - individual hydraulic 

supply reliability = 0. 998581 for the S-1C stage. Inserting 

the reliability numbers Into equation 48 and reconverting 

results in the total subsystem assessment shown in 

Table V. The overall improvement ratio resulting from 

redundancy is U /U = 49.1. 
s r 
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Figure 28. Multiengine Stage Cimhal System 


Table V. S-IC Control 



V 

ri> 

u 

“I* 

l « l 
r n 

II 

M 

II ,11 
#' r 

I'ltch, m*|{lv( UnK Hul l >uh»Iv 

3 

71 

74 

3507 

33. *l 

iMtrh, y;»w, urn! roll, ni*gl»illny, 
fluid *uin*iv 

r. 

2i:< 

2l!l 


2:i. 2 

I filth, y »M, and roll, lm hiding 
1 llulll »U*>J'1\ 

37 

313 

2 'lit 


j 


Note that this analysis does not specifically consider the 
effect of "engine-out, " i.e. , the loss of propulsion of 
one of the four control engines. Even though the direct 
effect on the control system which would be the loss of 
control torques derived from one actuator In each axis is 
considered, other Interactions are not treated in this 
simplified analysis. 

As previously mentioned, the basic layout of the S-ll 
control system is similar to that of the S-IC. Except 
for shaping networks, the electronics for the S-IC and 
S-II arc identical, with the outputs of the servo.implifiers 
living switched at staging. Figures 2(i, 27, and 2s apply 
also to the S-II stage and show the corresponding unrelia- 
bility numbers for the Individual major elements for Ixith 
stages. Similarly, equations 21 and 18 are used in the 
reliability assessment. The numb; rs used in th. b-II 

stage assessment are it 0. 999570 and li o. !>*i7 
J w 

The results arc shown in Tabic VI. The overall im- 
provement ratio in Ihe S -II stage through redundancy is 

U /II 40. 8. 

s' r 


Table VI. S-II Control 
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• 1 
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3662 
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I’ll* h, y.i», and ndl. lm l idl/ig 
fluid 
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The layout of the propelled phase pitch and yaw con- 
trol of the S-1V11 is basically different from that of the 
multlenginc stages. Sinct only one main prepulsion 
engine is employed, the control torques are derived by 
positioning a single actuator in each axis. A layout of 
the pilch and yaw control system is shown in Figure 29; 
ilie layout of the pitch and yaw channels is similar. 
Control almut the roll axis is maintained by auxiliary 
engines and Is discussed later. The electronic modules 
In the pitch and yaw channels are similar to those pre- 
viously discussed, with the identical modules employed 
in tiie llrst two stages being used where possible. The 
shaping networks arc different since they must have the 
particular characteristics required to stabilize the S-IVH 
stage. The S IVR servoactuntor Is very similar in de- 
sign to lhal previously described for Die S - 11 stage, al- 
lhough a lew features differ to adapt to the particular 
stage requirements. The S-IVH hydraulic fluid supply is 
also similar in layout to that of the S-II. taut the individ- 
ual components are of a different design. The major 
components of the inflight fluid supply system arc tin 
engine pump, a motor-driven auxiliary pump, an 




integrated accumulator reservoir module, and associ- 
ated interconnecting tubing. 

Because the S-IVB pitch and yaw control torques are 
derived from a single engine, redundancy is employed to 
the maximum extent feasible. As shown in Figure 30, 
Pits redundancy is employed to derive the control signals 
to the servoactuators. 

The reliability numbers applicable to a single PHS 
channel and the comparator electronics are 
It 0.999* 57 and R 0.999932. The corresponding 
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f. gure 23. S-IVB Propelled Phase Pitch-Yaw System 


Figure 31. S-IVB Propelled Phase Pitch and Yaw 
Gimhal System Layout 


Table VU. S-IVB Propelled Phase 
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1906 
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Yaw* nettlt-clln,: fluid 


i 563 
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1.22 
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0 

64.17 


6437 


Total lystctn 



9565 

10,24 » 

.±1.. 


Thus, for the total system, the unreliability has been 
decreased by the following factor through redundancy: 


unreliability numbers are shown in Figure 30. From 
equation 18, P a 0. 999999 and U • 1 The reliability 

numbers for the simplex portions of the system are 

It - 0. 998437 and R , 0. 993503. The 

actuator supply 

equivalent unreliability numbers for these elements of the 
system are also shown in Figure 30. A single hydraulic 
fluid supply drives loth the pilch and yaw actuators. 
Figure 31, a simplified block diagram of the total system, 
shows the unreliability associated with the various por- 
tions of the system, including the PBS redundant elec- 
tronics. The resulting composite numbers are shown in 
Table VII. 



Figure 30. S-IVB Propelled Phase Pitch System 
(Simplified Model) 


The numbers reveal a relatively small gain obtained 
by the redundancy applied in this subsystem; however, 
redundancy was applied on'" to the electronics, which is 
already the most reliable portion of the subsystem. This 
design is the result of engineering compromise. PBS 
redundancy was easily applied In the electronics; signif- 
icant portions already existed in the control computer 
because ot the multiengine stage requirements. < 'n the 
other hand, the servoactuator and the hydraulic supply 
wore not made redundant lut-ause of complexity of 
implementation and the resulting weight penalty. 

This subsystem has a high unreliability because of 
the major simplex items and the po - ihipp of introduc- 
ing more redundancy is being pur- ucd. A certain redun- 
dancy not considered in this anaU si. exist in the fluid 
supply because the sy- tern has two pumps. Although the 
auxiliary pump has a much lower flow than the main 
Pump, it might ■ ust tin the - \ ; tern under cei tain main 
pump failure conditions. Th.- addition of a second higher 
flow pump is being considered. 

Also being considered is the use of a modified 
actuator design, which incorporates a "majority -voting" 
servovalve and essentially consists of a triplication of 
the valve and mechanical feedback mechanism in the 
servoactuator. In case of a malfunction in one channel, 
the two correctly operating channels overpoyyer the third 
and the system continues to function properly. A con- 
siderable improvement could In- expected In the valve 

67-553 


26 




and feedback |>ortions of the actuator; loth contribute 
significantly to the actuator unreliability. 

As previously mentioned, control about the S-IVB 
roll axis during propelled flight and aix>ut all axes during 
tiie coast phase is maintained by torques derived from 
the on-off operation of six auxiliary thrusters. A layout 
of the auxiliary control system Is shown in Figure .'12. 



The six inputs to the system (attitude and attitude rates! 
are derived in the same manner as during pro|ielled 
phase control. The outputs of the electronic system 
actuate relays which o|ieraU- the valves of the six auxil- 
iary thrusters. As indicated, pitch is controlled by 
engines A and B; yaw and roll signals are intermixed and 
determine the operation of engines C, I), F , and F to 
maintain control about these two axes. In addition to 
scaling amplifiers similar to those employed in other 
flight phases to establish the correct relative gains in the 
system, the electronics also include attitude signal 
limiters, spatial switching amplifiers whit h operate the 
propellant valve relays, and spatial comparators. The 
attitude and attitude rate signals are summed in a mag- 
netic amplifier stage similar to that employed in the 
propelled phases. The switching function is accomplish- 
ed in a Schmitt trigger circuit which furnishes the input 
to tiie relay driven. The relay drivers operate double- 
pole double-throw relays which switch power to the coils 
of the ful l and oxidizer valves of the thrusters. Pseudo- 
rate modulation circuitry, which provides a refinement 
of the simple on-off spatial attitude control techniques. 

Is also included in tiie spatial amplifier module. The 
pseudo- rate circuitry provides a modulated band in which 
the duration and frequency of thru- ter pulses are varied 
depending on the input signals. When the input signal 
exceeds a certain level, the thrusters are commanded to 
the on position continuously; below a certain level, the 
thrusters are turned off and the vehicle attitude coasts 
within the prescriiied deadband. The pseudo-rate mod 
luted band provides a more rapid damping out of dis- 
turbances and hence a more efficient utilization of 
thruster propellants. The electronics also contain a 
circuit which insures that when a thruster Is activated it 
stays on for a certain minimum time, this charm ‘.er- 
istic Is necessary to maintain the thruster specific 
impulse at tin desired level. 


The auxiliary control system employs two types of 
redundancy: ( 1) I’ltS redundancy similar to that previ- 
ously described is employed in the electronics portion 
of the system, and (2) the propellant valves of the 
thrusters re connected In a quadrupK x arrangement 
and are activated by parallel relays. 

A simplified diagram of one axl of the auxiliary 
control system Is shown in f igure .TS. The pitch axis 
coast control rep re ents th> simpb l layout. Koll and 
yaw coast control are stmilui to pitch with the exception 
that they are coupled and require lour thrusters. Ida 
propelled phase roll control lay ul i similar to that of 
Figure Hit except that four thruster., are Involved, with 
two being simultaneously activated lor < eh r il correc- 
tion. 



Figure ii.'i. S-IVP Pilch Coast Control System 

The reliability numU rs applicable to the PUS elec- 
tronics modules are It 0. '.PPM, 22 and K 0. '.*!• isss. 

v 

From equation i s, |> - 0. 999999 and F 1. 

r( elect) 


The numbers used for a single module of the quadru- 

plex valving arrangement are It (It , ( It , ) 

relay) valves 

(0. 999990) (0.997330) 0.997340. Since the relay 

reliability is very high compared to the valves, the 

simplifying assumption is made that the relay can !»• 

included with the valves in this analysis. Using the 

numbers in equation 20 for a quadruples arrangement 

yields It 0. 9999HG, U , , I I. The total un- 

r( valves ) 

reliability of the redundant portion is U U , , 

rp delect) 


2 U 


1 + 2(14) 29. The term 2 U 


r(valves) r(valves) 

arises from the two sets of quadruples valves. Kxrcpt 
for the valves, the APS engine is simplex. The applicable 
reliability number is It ft. 999905. Since two simplex 
engines are employed, the unreliability of this portion is 


if 


sp 


2(95) 19ft. The corresponding unreliability 


numbers for the Individual electronic modules, valves, 

and engines are Indicated in Figure .'(3. The unreliability 

el the pilch system as indicated is l F + F 

r rp sp 


29 » 19ft 219. 
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The corresponding numbers for the yaw and roll 
channels can lx- similarly derived. These results along 
with those fur the total system, an equivalent simplex 
system, and the improvement ratio are shown in Table 
VIII. The total system improvement ratio is 


Table VIII. S-IVB Auxiliary Attitude Control 



U 

rp 

U 

*P 

u 

r 

u 

a 

U /U 

■ r 

Pitch 

2'J 
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5904 

27 0 

Yaw and rx>ll 

5* 

3H0 

4.11 

ti.ate 

27 0 

Total atom 

R7 

S70 

657 

17,724 



27 0 


Note that the preceding assessment does not include the 
simplex APS propellant supply modules, which also 
supply tiie propellant for the S-IVB ullage engines. 


i. e. , series or parallel components, the number of com- 
ponents is twice that of a simplex system. In a duplex 
modular system, the number of components is more than 
doubled to provide a means of sensing and switching. In 
the triple-modular redundant digital system, the voters 
and failure isolation anil detection circuits require almost 
as many component parts as a single channel; therefore, 
a system contains between three and four time:, as many 
parts as a simplex system. In the PBS circuitry of tin- 
control system, the component count also ranges from 
three to four times that of a simplex channel, depending 
on the relative complexity of the comparator required 
In the example of the quadruples n dumlancv cited in the 
auxiliary control valves, no sens ing or voting was re- 
quired so the system is four time a complex. The only 
application of redundancy which doer, not add additional 
components to the system i • th<- >1 PK giml ai syst. -tv, the 
complexity of this system v.au imp >sed by o|H--r design 
considerations and the benefits of redundancy are achieved 
without additional oomph ail' T! e gain in reliability 
through redundancy is, in this ea e, a i >ntts rather than 
the primary purpose of the multiple parallel * !« merits. 


The unreliability assessment for the various sub- 
systems and the total control system is summarized in 
Table IX. As previously indicated, the improvement 
ratio is very large in the case of the rate system which is 
totally redundant; however, it is not very f ignitieant in 
the S-IVB propelled phase gtmbal system because of the 
simplex hydraulic system. Primarily because of the 
relatively higli unreliability of the latter, the improve 
nv-nt ratio of the total control system through redundancy 
is only a modest 0,3. 


Table IX. Control System 
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Problems Associated With Redundant Applications 

The benefits to he derived from redundancy have 
been demonstrated, and it has been shown that the un- 
reliability of a simplex system can. In some cases, he 
reduced by orders of magnitude when redundancy is 
applied. Although the disadvantages of redundancy are 
not readily assessed quantitatively, it is recognized that 
this gain in reliability is at the expense of other design 
factors or operational procedures. Some of the problems 
encountered with the application of redundancy are 
enumerated and the effect ot redundancy on the system is 
indicated. 

The most significant disadvantage of redundancy is 
the increased complexity, both in terms of component 
parts and system organization. In the simplest forms, 


Other major problems inherent in redundant applica- 
tions are failure detection an I i olntion 1 ,iln- < in the 
redundant element mu: I he detected and removed I . ft re 
flight Failure to verify that all channels are operating 
can actually result in a degradation of the to. .-tom corn- 
ed t-> a simplex system. For in.- t.incc, consider one 
trio of a FMit system. II the vi! ‘i I- is launch I with one 
ol tin unit ■ out, the system would fail if either of th • 
other two malfunctioned Since there are two r -mnlning 
units, either id which could reself in a :v tern failure, 
lh>- unreliability of the s"str n i nearly twice that of the 
simplex system. Failure:) oecurrir during fli ht mu t 
lie oe tec ted so that corrective a tb.n can be t T *n for 
future flights. Because more component part i arc em- 
ployed in redundant systems, the rural -r of component 
part failures can tie expi l -i to be g eater than th ■ -e in 
a simplex system i->- a last >r of the ratio of the numb >r of 
component parts in a redundant tern to the number of 
component parts in a simplex ma tern. 

The LVDC, LVPA, and control system Illustrate 
how the failure detection and isolation problem is 
approached in the Saturn V guidance ar. I i r.tn-1 system. 
In the I.VPC and I VD\, dlsag.a-cn ont detectors Indicate 
when a failure has occurred in cl the” el these unit , each 
of which consists of over 100 det -tors. Severe! detec- 
tors are "Olt'e.i" together and fed t- > a bU in a 26-hlt 
register, storing failure indication v.-h-ih can b. read 
by the grown i launch comp-eter b ‘‘ore Pljh' and teleme- 
tered during flight. Sixty m bp •>' th • register arc used 
to store IA’PC failure 1nf< rmat'on while t*v remaining 
10 bits are used for the I MW I’u .n-sc of the "OH ’Ing" 
operation, however, it is rot e've possible to pinpoint 
the cause of fallu si 

To assist In failure Isolation before flight, means to 
switch in and out various redundant paths must he 
provided For example, In checking the 1 VPA power 
supplies, switching both the feedback amplifiers and the 
converters is necessary. In the TMli logic, module as 
well as channel switching is do.-irnbli such that . failure 
can be isolated to two or three logic- pages. These 
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features have been incorporated In the computer system 
and means are available for checking all alternate paths. 
The presence of the multiple channels within the redun- 
dant system, along witii the isolation capabilities incor- 
porated, considerably enhances the troubleshooting 
possibilities. This is a significant by-product of 
redundancy, particularly in a complex system such as 
the Saturn digital system. 

Signals from the ground can be substituted during 
checkout for each of the three inputs to the 1’ItS systems 
employed in the control system. The comparator's 
ability to switch can consequently be checked for various 
combinations of inputs, and the standby units can be 
exercised. Means are available to switch back from the 
standby to the prime unit from ground control In case the 
redundant circuit switches because of an intermittent 
condition during prela inch checkout. In addition, the 
state of the comparato 's telemetered such that switch- 
ing to the standby is detectable during flight, how- 
ever, the switch-back capability Is not present during 
flight. 

The necessity for failure detection, Isolation, and 
removal of failed units is perhaps obvious; however, a 
more subtle problem arises In using these schemes in an 
operational prelaunct checkout system. For example, if 
a failure in a redundant flight item occurs hours before 
the flight, a spare may be substituted with >ut impact on 
the countdown or launch. However, should . failure in a 
redundant item occur just seconds before the scheduled 
liftoff, the removal of the failed Item would require a 
hold c ■ a scrub, |x>ssibly resulting in a costly schedule 
delay. A tradeoff must lx- made between the effect of the 
fulled unit upon mission success and the cost, schedule, 
and other critical considerations brought about by a hold 
or scrub. It is imperative then that redundancy consider- 
ations lx* included In launch ground rules, where practi- 
cal. When applied, such considerations complicate 
launch procedures; when not applied, considerable 
pressure is brought to bear on engineering judgement. 

To derive maximum benefit from the redundancy 
employed in the Saturn vehicle system, the computer 
system is utilized to the greatest extent possible because 
it is the only item within the vehicle capable of making 
logical choices and decisions. The Saturn V Might 
program is designed to make maximum use of the 
existing redundancies in the vehicle hardware, it is 
generally accepted that a major effort in any guidance and 
control system is the preparation and checkout ol the 
flight program. This is particularly trie in space vehi- 
cles where each mission Is different from the previous 
one. Consequently, the "canned" programs cannot be 
used. Adding redundant features to system hardware 
complicates flight programs since backup paths or 
redundant loops must lx* Incorporated. Fxanqdcs have 
previously ix*en cited of the value of the computer system 
in determining "reasonable' values for acei lerometer 
and glinbal angle readings. If It is determined that these 
values are not "reasonable," alternate modes of operation 


are followed. Therefore, means must be provided in the 
various program checkout facilities where failures can 
oe induced and alternate program modes can lx* checked 
In a manner similar to that employed In hardware 
checkout. A problem also exists In determining "reason- 
able" values, loth in terms of which quantities should lx- 
used as well as the limits applied to each quantify. 

Other disadvantages of redundancy, which are a 
direct outgrowth of increased complexity , arc the 
physical quantities of increased power, weight, and cost. 
These quantities have not Ix'cn, and probably cannot fx*. 
accurately assessed, but estimates can !«■ made The 
most straightforward of the above quantities to con tde r 
is power, since it is reasonable to assumi that the 
power requirements of a system are directly promo - 
tional lo tfie numlxr of component parts; 1. i . thi ratio 
of the power required bv a redundant -system as compared 
to a simplex system may lx- estimated to be directly 
proportional to the ratio of the numlx r of components in 
the two systems. 

The weight penalty of a redundant system is not as 
easy to estimate, for consideration must In given to 
packaging density and title ieney, heat dissipation, and 
type of packaging technique employed. In general, weight 
ratio is « stimated to be 1< • s than the c-miionent part 
ratio. How much les* > it pends on factors .-uch as type of 
redundancy employed, failure detection and i elation 
schemes, packaging techniques, and type of cooling 
method utilized. 

The Impact of redundancy u|x>n cost is most difficult 
to analyze for it runs the gamut of the aforementioned 
problems Cost is influenei d by thi numlx r of parts, 
system design, checkout, programing, and launch costs. 
Cost Is also greatly dependt nl ii|x>n the type of redun- 
dancy employed. From the Initial design phase through 
the launch phase, the cost o( a redundant sy stem Is 
probably from :t to 10 times th at <d an equivalent Implex 
system. 

Conclusions 

The various types of redundancy employed In the 
Saturn guidance and control system and typical numbers 
demonstrating the Improvements gained have ix on 
presented. Although the variou types of redundancy 
show a theoretical difference In the relative Improve- 
ments. thi' choice of the ty pe employed In each case 1 In 
actuality dependent on the practical Implementation 
aspects. In the design of the Saturn guidance and control 
system, the following approach was employed Those 
portions of the system to which redundancy could lx' 
readily applied were first identified and then the t\ | •< of 
redundancy was selected by numerical analysis and 
ongl' coring tradeoff w ith emphasis on the latter. 

Table X summarizes the unreliabilities of the guid- 
ance and control system, consisting of the thret major 
systems. 


Table X. Summary of Guidance and Control 
Subsystem Reliability 
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The digit.-*' system, which is almost totally redundant, 
has i' significantly lower unreliability than the other two 
s stems This should not be interpreted to mean, how- 
evt ••, that incorporating redundancy in the other sy.- terns 
i.-, to ao avail Actually, significant improvement.-, are 
made in all three systems through redundancy. The fact 
that the three major systems have significantly different 
n liability and that the most reliable sy: tern < in .• implex 
form) employs the highest degree of redurdaney empha- 
size . the philosophy employed in the desipi of the S tur’i 
system. The approach did not attcrr.p* to enf >rce equal 
reliability for subsystems of similar significance and 
complexity; it was ins. cad to benefit to the maximum 
reasonable extent in those areas where redundancy could 
he readily applied while relying on simplex elements 
where redundancy would have resulted in undue complex- 
ity or other significant penalties. This philosophy 
results in significant differences in the extent to which 
redundancy Is applied not only within the various portions 
of the guidance and control system but also throughout the 
total Saturn launch vehicle. 

In the stabilized platform and control systems, the 
unreliability remains . h compared to the digital system 
because each contains major simplex electromechanical 
elements. However, compared U> other major systems 
in the launch vehicle, where little or no redundancy is 
incorpo rated, the systems look very favorable. The 
overall guidance and control system reliability is con- 
sidered acceptable for the Apollo mission. The con- 
tinuing investigations of backup schemes and design 
modifications being considered are merely to enhance the 
reliability further. 

It should be reiterated that the unreliability numinTs 
shewn represent the predicted numlx-r of component or 
subsystem malfunctions in a m.Ilion I lights and not the 
number of mission failures. The latter, sometimes 
referred to as the criticality number, is derived by con- 
sidering the individual failure modes and corresponding 
effects The criticality numbers for the various sub 
sv terns ire considerably lower than tin- unreliability 
numbers quoted. 

Note that several subsystems closely related to the 
guidance and control system are not included in the 
analysis. Principal examples arc the vehicle primary 
power source, the auxiliary propulsion system propellant 


source, the sw<tch selectors which provide vehicle 
sequencing, and the digital command system. While 
these elements support the guidance and control system, 
they also perform other vehicle functions ami npport 
other major subsystems. 

The benefits of redundancy must I*' traded off against 
the resulting penalties in weight, pow< r, ee i, and opera- 
tional complexity; but th applicali n of redundancy e m 
not be utilized as a substitute which permit - i lax h r. 
of basic reliability design principb . High icl ilillit* 
component parts programs and t * . . ' - 1 quality ‘ nt • ■ • 1 must 
be maintained; to derive pr.-ett d l>; n It , n f mdanri 
must be applied to a ba ically hl( !-dy r. liable n a 

The Saturn guidance and control svstem i-> an 
inherently reliable seat m hecap <* major em|>ha is he, 
beea placed on de ign con- «rvatl and imili it , , u a 
of carefully select d t nni|> iietrl pal t . , and ext •naive 
tin ting, in addition, through p 'Irian ippHrutnn ef 
reiiundancv, the overall re apt Is a s* t m I r\ high 
reliability and fie it-ility . Tie dip ndallliP ■ i tia 
system ha., h. i n d r 1 . t rat 1 th h thn e an ■ fa' 
Satii't TP« flight without a fundi M il failure ai I nt ire 
thousand . , I hour < t gi un : t> ;i .. • r I • 

results against the pi »Menr and di <d ant >■ e 

cone I or le that the d. ign at pn ■ u h 1. . jn- tlfi I • r. 1 i. i . 
been verified to ire ha-deal! sound. 
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